Hello,
I’m super new to Graylog, but I can’t seem to find a solution.
We want to trigger Oxidized to take a new backup when a certain syslog hits Graylog. The URL to trigger Oxidized is:
http://oxidized.domain.com/node/next/HOSTNAME
I can get the hostname from the syslog entry, but I can’t for the life of me add the hostname to the URL in a custom HTTP Notification.
I’ve tried ${message.cli_hostname} (cli_hostname) is the field in the message.
Tried ${source.cli_hostname}
I also tried creating a field in the Event configuration named CLI_Hostname and tried extracting those two fields. Nothing worked. Oxidized see’s the literal text, instead of the hostname.
Here’s the URL in the Notification:
http://oxidized.domain.com:8888/node/next/${CLI_Hostname}
Here’s the error from Oxidized:
2024-12-04 21:20:22 - Oxidized::NodeNotFound - unable to find ‘${CLI_Hostname}’:
Is there a way to pass a field into a URL in a custom HTTP Notification?
We’re running Graylog 6.1.3 in Docker.
Thanks
Tyler
your custom fields in the event need to be read from the message using the format ${source.field_name} , then to use that in a notification you need to use the format ${event.fields.custom_field_name}
Hi Joel,
For some reason that didn’t seem to work. Am I capturing the field correctly in the event?
Here’s the updated error in Oxidized:
> 2024-12-05 16:20:14 - Oxidized::NodeNotFound - unable to find '${event.fields.CLI_Hostname}':
It looks like the field is getting populated properly, but the notification doesn’t use the value in the URL.
My notification URL is now:
http://oxidized.domain.com:8888/node/next/${event.fields.CLI_Hostname}
Tyler
My first guess it uppercase lowercase in your setup, i think it matters.
Wait nevermind, thats not it, let me look again.
Thank you for your help! Yes, it’s still not working. Are variables able to be used in the URL on an HTTP notification?
I changed the event field to “devicename”. All lowercase and removed the underscore.
Still no go:
2024-12-05 17:03:15 - Oxidized::NodeNotFound - unable to find ‘${event.fields.devicename}’:
Are you using the classic “http notification” or the new “custom http notification”?
The Custom HTTP notification because I need to do a GET on that URL instead of a POST.
I dont think that the url field goes through the template engine, so variables only work in the body unfortunatly.
furgussen
(Tyler)
December 6, 2024, 5:09pm
11
Darn. Well thank you for investigating and letting me know!
Cheers
system
(system)
Closed
December 20, 2024, 5:09pm
12
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.