Hello && Welcome @ericwu
To removed the backlog messages it will be this section. This all can be done on the Notification Template.
${message}
From here
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
If you’re only using Body Template and depending on what fields are generated the configuration could look something like this. I have modified it to only grab what fields I wanted to see.
--- [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}
Type: ${event_definition_type}
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
Priority: ${event.priority}
Alert: ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start: ${event.timerange_start}
Timerange End: ${event.timerange_end}
Stream URL: ${event.stream_name}
${if stream_url}Stream URL: ${stream_url}${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User: ${message.fields.TargetUserName}
WorkStation Name: ${message.fields.WorkstationName}
Event Time: ${message.fields.EventReceivedTime}
Source: ${message.source}
Logon Type: ${message.LogonType}
---[backlog end]---------------------------------
${end}
${end}
The gl2_* can be used, I’m not sure if you have those other ones, if not you may need to create them (extractors/pipelines) or use a different format ( i.e. GELF).