Derive Notification recipient from message field

Dears,

I would lilke to inform several admin groups by email notification about specific events that arrive in a specific stream. Either Alert and Event can be identical for all events and admin groups. Unfortunately, I have to create Notifications separately, one for each email recipient, although the whole content can be derived from the event fields. In other words: All Notifications are of identical content except the email recipient address. Is it somehow possible to derive a notification’s email recipient from a message/event field or is it something to put on a wish list for upcoming releases? :slight_smile:

Many thanks,
Elix

Hello && Welcome @Elix

First could you tell us more about you setup and /or environment?

Could you explain in greater detail about this, I’ll be honest maybe I’m just tired but I’m confuse.
You need am email to separate Admin accounts from one notification?

Hi gsmith,

thank you for taking care of this issue. It’s simple, maybe my wording was unclear. I have some servers running in different sites sending messages to a central Graylog instance. In case of specific messages arrive, I want to trigger a notification which is being sent to the according site admins. Either server names and email addresses of the site admin groups contain the site name, so it’s easy to generate the email address of the site admins from the server name that caused an alert using a pipeline rule putting the email address into some message field. My question is just, if it’s possible in a Notification to fetch the email recipient from a message field. If possible, I have to create just one Notification, otherwise, I have to create one Notification per site.

For your overview:

Messages from server in different sites arrive Graylog server → pipeline rule extract site name from source server name → pipeline rule creates site email address from site name and set it to some field → message put into Stream

Event Filter searches Stream for messages causing alerts → Event triggers Notification → Notification is sent to email recipient that is fetched from message field

Many thanks,
Elix

I did some testing and tried to throw a variable in the alert “to address” but no-go. You likely tried too. There is a feature request out there form a while back that you can post to so as to increase interest in the change: Use extracted field (username) in email address for alerts notification · Issue #6533 · Graylog2/graylog2-server · GitHub

2 Likes

Hi tmacgbay,

many thanks for testing and confirmation that it’s currently not possible. I’m going to post in the thread you mentioned, thanks for the link too!

BR,
Elix

Was thinking about this a little more this morning - if you have the Enterprise License - which is Free if you can keep daily logs below 5G - You can have an alert that fires off a script that will have access to the fields you want. If you do go down that route, you could post up your script for others to use here. :smiley:

Indeed I’ve a free Enterprise license and also though about narrow it down by using a script too. Currently I tend not to go this way because I prefer to keep everything within one system. When using a script I have to think about how to make sure emails are really being sent out and several other things. So for now, I’ll go the way to implement alerts and notifications per site.
Nonetheless, thank you for your idea! :slight_smile:

Oh man… I must be getting old… I recalled just now that I answered a similar question a while back and they posted the script they were using!! Here it is… might give you a boot enough to get through it!!

Revised my yesterday’s decision. Will do it with a python3 script, which I’m going to publish in the thread you suggested.

BR,
Elix

2 Likes

Nah, I forgot also since I was helping with that, Or maybe your right, wee just get old :laughing:

1 Like

If you are using the Free Version of Graylog, and you are not “script friendly” or you are not a good developer (like me), other option is to send the alert to a Webhook Destination, and use something similar to automation tools like Shuffle or n8n, to receive the alert, and based on a specific field, send an email to the corresponding team.

3 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.