How to loop out src and dst in email notifications

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Prerequisite：
1,Aggregation→Group by Field(s)：src
2,Message Backlog:50
3,Search Query：dpt:137 AND act:deny AND src:(10.240.150.55 OR 10.240.174.24 OR 10.240.150.13)
4,Notifications→body Template：
${if backlog}
— [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
SourceAddress: ${message.fields.src}
DestinationIP: ${message.fields.dst}
Port: ${message.fields.dpt}
${end}
▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲
My problem is that the Backlog section of the received notification email contains other source address information (which meets the search criteria). But I only want the information of the src that issued the warning.
What are some ways to solve this problem。
▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲

Hey @yangkun.li

You can use the Search Query in alert/Event Definition.

Second option would be filter out the logs/messages that contain information of the src that issued the warning. Then route it to another stream. Attach your new stream to Event Definition and enable Aggregation of results reaches a threshold this will allow you to create Create Events for Definition to something like this if count() > 0 it should aleert you soon as that log/message hit the stream.

Third option would use a piepline and filter out what you need to be alerted on.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.