Hello, syntax is the same also in latest version 3.1
Check if you setup correctly Message Backlog parameter in Alerts - Event Definitions - Edit - tab Notification, check field Message Backlog and set to 1. It’s a number of messages to be included in Notification, if 0 no field will be extracted in message.
I use for example this snippet after user connect to switch:
${if backlog}
${foreach backlog message}
User ${message.fields.username} connected to switch ${message.source} from IP ${message.fields.src_ip}
${end}
${end}
You can use same syntax also in Subject field, for example I use:
Graylog event notification: ${event_definition_title} to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}