Hi all,
i can’t undestand how to call an extractor variable inside the body of email notifications.
In legacy alarm callbacks i use for example ${message.fields.from} but in new configuration which is the right syntax?
thanks
Hello, syntax is the same also in latest version 3.1
Check if you setup correctly Message Backlog parameter in Alerts - Event Definitions - Edit - tab Notification, check field Message Backlog and set to 1. It’s a number of messages to be included in Notification, if 0 no field will be extracted in message.
I use for example this snippet after user connect to switch:
${if backlog}
${foreach backlog message}
User ${message.fields.username} connected to switch ${message.source} from IP ${message.fields.src_ip}
${end}
${end}
You can use same syntax also in Subject field, for example I use:
Graylog event notification: ${event_definition_title} to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
1 Like
perfect resolved
thank you very much 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.