Events using aggregation group by field removes data from notification

gsmith · March 27, 2024, 9:39pm

This is not a bug, its about understanding the concept of Graylogs Email Template.

I think you are almost there, maybe I can explain it better.

In the Email Template you would have sections.

Event Section

If you look closely you’ll notice the macro’s used to get the BASIC information from your Event Definition.

--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}

Message Fields Section

This section is probably what you want to configure. This will add or subtract the information you want when you send a notification. I believe this already works for you since you posted this above.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
Messages:            ${foreach backlog message}
TargetUserName:      ${message.fields.TargetUserName}
WorkstationName:     ${message.fields.WorkstationName}
EventReceivedTime:   ${message.fields.EventReceivedTime}
Source:              ${message.fields.source}
${end}
${end}

Results:
If you put them together it should look like this. Noticed the macro’s used in each section.

-- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
Messages:           ${foreach backlog message}
TargetUserName:     ${message.fields.TargetUserName}
WorkstationName:    ${message.fields.WorkstationName}
EventReceivedTime:  ${message.fields.EventReceivedTime}
Source:             ${message.fields.source}
${end}
${end}

In this forum there are hundreds of post about email template and really good examples, for instance this one.

Hope that helps

Topic		Replies	Views
Events using aggregation of a threshold as a trigger missing event fields data in Notification? Graylog Central (peer support)	2	205	July 12, 2023
Graylog 3.1 Alert Notification using Event Definition with Aggregation Graylog Central (peer support)	15	2849	January 5, 2020
Custom fields in Event Definition Graylog Central (peer support)	2	1804	March 3, 2021
ALERT Event Group By with multiple fields and email backlog Graylog Central (peer support)	3	1982	May 30, 2021
Obtaining an aggregate rule field value in notification message Graylog Central (peer support)	2	414	August 29, 2018

Events using aggregation group by field removes data from notification

Related topics