Alerting custom fields

asc-clo · January 8, 2025, 8:41am

Im trying to add a custom field to my event/alert

I added the template ${source.source_ip}
but it´s just empty, also I’m trying to add a link to the message where I need the index name that should be ${index} right? that is also not working.

Arie · January 8, 2025, 12:51pm

Is key should be Yes in the alert definition.

asc-clo · January 8, 2025, 1:13pm

I also tried that, the result the same:

Arie · January 8, 2025, 1:16pm

Is the alert/event present within the timerange of the event definition in Filter & Aggregation?

asc-clo · January 8, 2025, 1:17pm

yes as you see here, there is plenty of alerts

Arie · January 8, 2025, 1:48pm

Okay, looks all as it should be. Guess when the replay search button is hit, the messages appear in graylog search.

Is it that you do nog get the field in your email alert message?

asc-clo · January 8, 2025, 2:45pm

Yea the alerting part works fine see here:

Arie · January 9, 2025, 7:53am

Could you try it with another fieldname without an underscore in it. Could be that it fails on that.

asc-clo · January 9, 2025, 8:12am

I found out if I change it to ${soruce}

I get this:

and now I’m able to grab ${source.source}

but how can I get more keys?

Arie · January 9, 2025, 1:57pm

My guess is that it fails on the underscore if source.source works.

You could file a bug at their github space for this.

Topic		Replies	Views
How to define custom field on Event Definition Graylog Central (peer support)	5	8600	June 17, 2020
Events and custom fields Graylog Central (peer support)	13	7709	September 28, 2021
Event Definitions Setup Help Graylog Central (peer support)	4	325	May 11, 2023
Email notification not pulling additional message field Graylog Central (peer support) alert	6	83	June 6, 2024
Not able to add custom field in events generated from the event definition Graylog Central (peer support)	2	1437	September 30, 2019

Alerting custom fields

Related topics