Help using extracted fields in event definitions as custom field

Graylog Central (peer support)
1

Hello there, I have recently set up some extractors against a Syslog input, and I would like to use those extractions as custom fields in my event definition but can’t work out how to do it, or find on information on how to unless I’m just reading into it wrong.

My extractor creates a field called “IP_Address”. This works as expected.

1253×497 36.5 KB


What I want to do now is get that in an event definition so it comes up in the email / webhook alerts. Here is the template I’m using at the moment:
image
image1878×101 5.01 KB

I’ve also tried ${source.IP_Address), ${IP_Address} and some others without the dollar sign and open curly bracket which just created static entries as expected.

How can I get my extracted field in the event definition as a custom field?

2

What kind of event are you doing. Aggregation events have some funny behaviors on custom fields.

3

Hi Joel, here’s a screenshot of the definition - is this what you wanted to see?
-Brett

image
image3217×1126 207 KB

4

When your event mat matches do you see the custom field in the event/alert page?

5

Hi,

We do this in the fields part in the event defenition.

in your case hostname should be IP_Address

afbeelding
afbeelding1638×741 31.9 KB

6

I do see the field @Joel_Duffield

image
image838×183 6.69 KB

7

@Arie I had tried that previously, did change it back to that just now with no luck I’m afraid.

image
image1261×99 3.91 KB

869×451 10.8 KB

8

What is it what you see in this configuration when you click on/out more details under IP_Addres
in the summary page, when configured as desired.

Is IP_Addres the correct statement, for as I see it [ip_addr] is in one of your screenshots.

In our setup we see this:

afbeelding
afbeelding706×280 5.22 KB

9

It’s a little confusing but the [ip_addr] string you see forms part of the message. So in raw format it looks like

Apr 17 17:30:29 np-it02 phpipam-changelog[545596]: changelog | | ip_addr | 526 | add | 2024-04-17 07:30:29 | details: ,[subnetId]: 172.16.2.0/24 [Corporate] (id 9),[ip_addr]: 172.16.2.231

I’m extracting after the nth comma to grab the entire [ip_addr]: 172.16.2.231 string.
The extraction of that string (including [ip_addr] goes to the IP_Address field screenshotted above.

Hopefully that makes sense.

10

Any other suggestions or do I need to continue experimenting at this point?