I would like to know if it is possible to add the source of an event to the subject of an email alert notification.
I’ve looked into the variables:
${event.source} : Displays the name of the Graylog server itself
${message.source} : Gives no result (In the body or the subject).
I see we have the ability to add Custom Fields with version 3.1.1, but I was only able to find a brief documentation about this functionality.
I’m not the first one with this question, but the other threat is closed without any replies:
I do not believe it’s possible to put the message source into the subject line of the alert however, you will be able to put that information into the body of the email.
It works. If you want source field in subject, you need to use {$message.source}:
${foreach backlog message}${message.source}${end}
If you want to use user field (for example: src_ip) use {$message.fields.src_ip} as @tmacgbay suggested: ${foreach backlog message}${message.fields.src_ip}${end}
For example I use this subject after somebody connect to switch:
User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
If didn’t work for you, check if you have setup Message backlog to 1 on Notification tab of your Event Definition.
