Hi, we are using Splunk for many different things, but for this question the relevant part is that we use it to get the Java server log into Splunk. Currently, whenever there's an exception we notify our entire team, however, as the team size has grown we need a smarter solution to reduce the noise in everyone's inbox.
We maintain a CSV locally that maps module name (listed in the java exceptions) to email address of the module owner. Is it possible to have Splunk continually read this mapping from some source (we can maintain it on the server itself, or in the cloud, google docs, etc) and then extract the module name from the Java exception and route the email to the correct recipient? I'm not sure how to implement this logic in Splunk so any advice that can be provided would be appreciated.
You can extract per event all the modules, expand the field with all modules, create an automatic lookup that enriches ypur data with the email of the owner using your csv as lookup file and then use the email filed as a token in the email alert action destination and alert per result.
So if you have 1 event with say 10 modules, you’ll get 10 rows with module, email and the alert will trigger sending on email per row.