Events using aggregation group by field removes data from notification

gsmith · March 27, 2024, 9:39pm

This is not a bug, its about understanding the concept of Graylogs Email Template.

I think you are almost there, maybe I can explain it better.

In the Email Template you would have sections.

Event Section

If you look closely you’ll notice the macro’s used to get the BASIC information from your Event Definition.

--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}

Message Fields Section

This section is probably what you want to configure. This will add or subtract the information you want when you send a notification. I believe this already works for you since you posted this above.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
Messages:            ${foreach backlog message}
TargetUserName:      ${message.fields.TargetUserName}
WorkstationName:     ${message.fields.WorkstationName}
EventReceivedTime:   ${message.fields.EventReceivedTime}
Source:              ${message.fields.source}
${end}
${end}

Results:
If you put them together it should look like this. Noticed the macro’s used in each section.

-- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
Messages:           ${foreach backlog message}
TargetUserName:     ${message.fields.TargetUserName}
WorkstationName:    ${message.fields.WorkstationName}
EventReceivedTime:  ${message.fields.EventReceivedTime}
Source:             ${message.fields.source}
${end}
${end}

In this forum there are hundreds of post about email template and really good examples, for instance this one.

Hope that helps

Topic		Replies	Views
Events using aggregation of a threshold as a trigger missing event fields data in Notification? Graylog Central (peer support)	2	141	July 12, 2023
Graylog 3.1 Alert Notification using Event Definition with Aggregation Graylog Central (peer support)	15	2503	January 5, 2020
Custom fields in Event Definition Graylog Central (peer support)	2	1704	March 3, 2021
ALERT Event Group By with multiple fields and email backlog Graylog Central (peer support)	3	1736	May 30, 2021
Alert and events systems from v 3.1 Graylog Central (peer support)	5	999	September 10, 2019

Events using aggregation group by field removes data from notification

Related Topics