Hey @SalC
You need to separate EVENT and Message Fields.
If you want to extract a field from your message you need to add the following under Fields section. The SOMEFIELD needs to match what is in the message your try to get. EVENT’s are another entity.
Example:
SomeName: ${message.fields.SOMEFIELD}
Here is an example from that post I link above.
This is just an example you need to modify it for your environment.
-- [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}
Type: ${event_definition_type}
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
Key: ${event.key}
Priority: ${event.priority}
Alert: ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start: ${event.timerange_start}
Timerange End: ${event.timerange_end}
Fields:
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
Messages; ${foreach backlog message}
TargetUserName: ${message.fields.TargetUserName}
WorkstationName: ${message.fields.WorkstationName}
EventReceivedTime: ${message.fields.EventReceivedTime}
Source; ${message.fields.source}
${end}
${end}
EDIT Here is a another example i made a while back.