chore: sanitize example data in docs and tests

Author: springdom

backend/integrations/email_ingest.py

@@ -18,9 +18,9 @@
     <p>Alert triggered: Production ERROR/FATAL Monitor</p>
     <table>
       <tr><th>host</th><th>source</th><th>message</th><th>_raw</th></tr>
-      <tr><td>web-01</td><td>/opt/eapservice/app/log/app.log</td>
+      <tr><td>web-01</td><td>/var/log/myapp/myapp.log</td>
           <td>ERROR</td><td>2026-02-12 04:10:57 ERROR ...</td></tr>
-      <tr><td>web-02</td><td>/opt/eapservice/app/log/app.log</td>
+      <tr><td>web-02</td><td>/var/log/myapp/myapp.log</td>
           <td>FATAL</td><td>2026-02-12 04:11:02 FATAL ...</td></tr>
     </table>
   </body>
@@ -306,7 +306,7 @@ def normalize(self, payload: dict) -> list[NormalizedAlert]:
             if not service:
                 source_path = row.get("source", "")
                 if source_path:
-                    # Extract app name from paths like /opt/eapservice/APP_NAME/log/...
+                    # Extract app name from paths like /opt/app/APP_NAME/log/...
                     match = re.search(r"/([^/]+)/logs?/", source_path)
                     if match:
                         service = match.group(1)

docs/DOCUMENTATION.md

@@ -119,7 +119,7 @@ For best results, modify your SPL query to aggregate results before sending. Thi
 Example — current email-based query:
 
 ```spl
-index=* (host="*prod*") source="/opt/eapservice/APP/log/APP.log"
+index=*
 | rex field=_raw "(?<message>ERROR|FATAL)"
 | search message="ERROR" OR message="FATAL"
 | table host, source, message, _raw
@@ -128,7 +128,7 @@ index=* (host="*prod*") source="/opt/eapservice/APP/log/APP.log"
 Recommended webhook-optimized version:
 
 ```spl
-index=* (host="*prod*") source="/opt/eapservice/APP/log/APP.log"
+index=*
 | rex field=_raw "(?<message>ERROR|FATAL)"
 | search message="ERROR" OR message="FATAL"
 | stats count as error_count
@@ -203,7 +203,7 @@ The email normalizer:
 - Extracts the alert name from the subject line (strips "Splunk Alert:" prefix)
 - Parses the HTML table into individual rows
 - Creates one alert per row, using the same field extraction as the webhook normalizer
-- If no explicit `service` field exists, derives it from the log path (e.g., `/opt/eapservice/APPNAME/log/...` → `APPNAME`)
+- If no explicit `service` field exists, derives it from the log path (e.g., `/opt/app/SERVICE_NAME/log/...` → `SERVICE_NAME`)
 - Falls back to tab-delimited or pipe-delimited plain text if no HTML table is found
 - Creates a single alert from the email body if no table is parseable
 

tests/test_email_ingest.py

@@ -7,7 +7,7 @@
     parse_plain_text_table,
 )
 
-# ─── Realistic Splunk alert email (based on user's actual query output) ───
+# ─── Realistic Splunk alert email (example format) ──────────────────
 
 SPLUNK_HTML_EMAIL = {
     "subject": "Splunk Alert: Production ERROR/FATAL Monitor",
@@ -24,22 +24,22 @@
         <th>_raw</th>
     </tr>
     <tr>
-        <td>ihub-intraprod-std-webapp-2.int.company.com</td>
-        <td>/opt/eapservice/REDACTED_2/logs/REDACTED_2.log</td>
+        <td>app-prod-web-2.internal.example.com</td>
+        <td>/opt/apps/billing-svc/logs/billing-svc.log</td>
         <td>ERROR</td>
-        <td>2026-02-12 04:10:57.489 [ajp-nio-10.0.0.2-10022-exec-2]
+        <td>2026-02-12 04:10:57.489 [http-nio-8080-exec-2]
 ERROR o.a.c.c.C - dispatcherServlet threw exception</td>
     </tr>
     <tr>
-        <td>ihub-intraprod-std-webapp-2.int.company.com</td>
-        <td>/opt/eapservice/REDACTED_2/logs/REDACTED_2.log</td>
+        <td>app-prod-web-2.internal.example.com</td>
+        <td>/opt/apps/billing-svc/logs/billing-svc.log</td>
         <td>ERROR</td>
         <td>2026-02-12 04:10:57.489 ERROR -
 Connection prematurely closed BEFORE response</td>
     </tr>
     <tr>
-        <td>ihub-intraprod-std-webapp-1.int.company.com</td>
-        <td>/opt/eapservice/REDACTED_1/log/REDACTED_1.log</td>
+        <td>app-prod-web-1.internal.example.com</td>
+        <td>/opt/apps/order-svc/log/order-svc.log</td>
         <td>FATAL</td>
         <td>2026-02-12 04:12:00.000 FATAL OutOfMemoryError: Java heap space</td>
     </tr>
@@ -48,8 +48,8 @@
     </html>
     """,
     "body_text": "",
-    "from": "splunk@company.com",
-    "to": "it-alerts@company.com",
+    "from": "splunk@example.com",
+    "to": "alerts@example.com",
 }
 
 # Aggregated query results (what the recommended SPL produces)
@@ -62,31 +62,31 @@
     <tr><th>source</th><th>message</th><th>error_count</th><th>affected_hosts</th>
         <th>host</th><th>severity</th><th>service</th><th>latest_error</th></tr>
     <tr>
-        <td>/opt/eapservice/REDACTED_2/logs/REDACTED_2.log</td>
+        <td>/opt/apps/billing-svc/logs/billing-svc.log</td>
         <td>ERROR</td>
         <td>27</td>
         <td>2</td>
-        <td>ihub-intraprod-std-webapp-2.int.company.com</td>
+        <td>app-prod-web-2.internal.example.com</td>
         <td>high</td>
-        <td>REDACTED_2</td>
+        <td>billing-svc</td>
         <td>Connection prematurely closed BEFORE response</td>
     </tr>
     <tr>
-        <td>/opt/eapservice/REDACTED_1/log/REDACTED_1.log</td>
+        <td>/opt/apps/order-svc/log/order-svc.log</td>
         <td>FATAL</td>
         <td>3</td>
         <td>1</td>
-        <td>ihub-intraprod-std-webapp-1.int.company.com</td>
+        <td>app-prod-web-1.internal.example.com</td>
         <td>critical</td>
-        <td>REDACTED_1</td>
+        <td>order-svc</td>
         <td>FATAL OutOfMemoryError: Java heap space</td>
     </tr>
     </table>
     </body>
     </html>
     """,
-    "from": "splunk@company.com",
-    "to": "it-alerts@company.com",
+    "from": "splunk@example.com",
+    "to": "alerts@example.com",
 }
 
 PLAIN_TEXT_EMAIL = {
@@ -96,15 +96,15 @@
         "db-01\t/var/log/syslog\tDisk 95% full\n"
         "db-02\t/var/log/syslog\tDisk 88% full"
     ),
-    "from": "splunk@company.com",
-    "to": "alerts@company.com",
+    "from": "splunk@example.com",
+    "to": "alerts@example.com",
 }
 
 MINIMAL_EMAIL = {
     "subject": "Splunk Alert: Something Happened",
     "body_text": "An alert was triggered but no table data is available.",
-    "from": "splunk@company.com",
-    "to": "alerts@company.com",
+    "from": "splunk@example.com",
+    "to": "alerts@example.com",
 }
 
 
@@ -229,7 +229,7 @@ def test_invalid_no_body(self):
 
 class TestEmailNormalization:
     def test_html_email_produces_multiple_alerts(self):
-        """Your actual Splunk email format with 3 result rows."""
+        """Splunk email format with 3 result rows."""
         n = EmailNormalizer()
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
@@ -246,17 +246,17 @@ def test_html_email_extracts_hosts(self):
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
         hosts = [a.host for a in alerts]
-        assert "ihub-intraprod-std-webapp-2.int.company.com" in hosts
-        assert "ihub-intraprod-std-webapp-1.int.company.com" in hosts
+        assert "app-prod-web-2.internal.example.com" in hosts
+        assert "app-prod-web-1.internal.example.com" in hosts
 
     def test_html_email_extracts_service_from_path(self):
         """Service should be derived from the log path."""
         n = EmailNormalizer()
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
         services = [a.service for a in alerts]
-        assert "REDACTED_2" in services
-        assert "REDACTED_1" in services
+        assert "billing-svc" in services
+        assert "order-svc" in services
 
     def test_html_email_description_from_raw(self):
         """When no 'message' description field, _raw should be used."""
@@ -277,13 +277,13 @@ def test_aggregated_email_uses_explicit_fields(self):
         # First row: high severity
         a1 = alerts[0]
         assert a1.severity == "high"
-        assert a1.service == "REDACTED_2"
-        assert a1.host == "ihub-intraprod-std-webapp-2.int.company.com"
+        assert a1.service == "billing-svc"
+        assert a1.host == "app-prod-web-2.internal.example.com"
 
         # Second row: critical severity
         a2 = alerts[1]
         assert a2.severity == "critical"
-        assert a2.service == "REDACTED_1"
+        assert a2.service == "order-svc"
         assert "OutOfMemoryError" in a2.description
 
     def test_plain_text_email(self):
@@ -308,7 +308,7 @@ def test_labels_contain_email_metadata(self):
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
         for a in alerts:
-            assert a.labels["splunk_email_from"] == "splunk@company.com"
+            assert a.labels["splunk_email_from"] == "splunk@example.com"
             assert a.labels["splunk_search_name"] == "Production ERROR/FATAL Monitor"
 
     def test_internal_fields_excluded_from_labels(self):
@@ -328,18 +328,18 @@ def test_same_service_same_incident(self):
         n = EmailNormalizer()
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
-        # First two alerts are from REDACTED_2 — same service
-        assert alerts[0].service == "REDACTED_2"
-        assert alerts[1].service == "REDACTED_2"
-        # Third alert is from REDACTED_1 — different service
-        assert alerts[2].service == "REDACTED_1"
+        # First two alerts are from billing-svc — same service
+        assert alerts[0].service == "billing-svc"
+        assert alerts[1].service == "billing-svc"
+        # Third alert is from order-svc — different service
+        assert alerts[2].service == "order-svc"
 
     def test_different_hosts_same_service(self):
         """Different hosts with same service should still correlate."""
         n = EmailNormalizer()
         alerts = n.normalize(SPLUNK_HTML_EMAIL)
 
-        # Both from REDACTED_2 on the same host — will dedup
+        # Both from billing-svc on the same host — will dedup
         assert alerts[0].host == alerts[1].host
-        # REDACTED_1 on different host — separate alert, same incident
+        # order-svc on different host — separate alert, same incident
         assert alerts[2].host != alerts[0].host