Including only the full log message in a Slack notification with permalink

Graylog Central (peer support)
, ,
1

Graylog v3.1.4 on Centos.
Logs (our own log data) from NXLog/GELF on Windows
graylog-plugin-slack-3.1.0-1.noarch.rpm

I’m trying to get only the log-line displayed in the slack notification. I can only achieve this in the backlog using ${message.message}. I need to get the notification immediately (I may misunderstand the way the backlog works though… :smile: )

There also appears to be a limit of 64 chars for the log-line message, even in the dashboard - I can’t believe this, what am I missing?

Finally, I’d like the slack notification to include a permalink to the item. All I can find in Google is that it wasn’t possible 2 yrs ago! Has this changed?

2

Hi @martinm

AFAIK, permalinks still cannot be included in notifications in the same manner as other message items ($message.message, etc)

There is a work around in this github issue that might work for you though:

3

Thanks Jesse, that looks good. However, I can’t figure out what the backlog actually is! (can’t find any documentation). I’m after the simple situation of

  1. Input received that matches the event definition
  2. (Slack) notification sent which I think must include backlog message to get the full message contents.

I have yet to find a config that does this, I’m sure it’s possible as it’s the basic scenario really. I’m getting notifications with no backlog.

4

Check the ‘Email Notification’ section of the Graylog documentation:
https://docs.graylog.org/en/3.1/pages/streams/alerts.html#email-alert-notification

image
image1152×536 53.8 KB

If you are getting notifications sent with no messages in the backlog, check your event definitions. Have you actually included any message backlog?

5

Cheers, I’ve read that, but can’t find a simple description of what the backlog actually is!

I’ve got Message Backlog = 1 and enabled in the Event Definition notification settings.

6

Not sure how much more simpler the documentation can get on that…

image
image759×98 6.28 KB

In your original message you stated that you’re using the backlog to include ${message.message} in your notification so, I am not sure what the issue is now?

If you could provide more info, that’d be great - Alert definition and notification configurations (Private info redacted, ofc.)

7

Sorry, not explaining myself very well… What defines when a single message is sent and when multiple messages are sent in one go - does a backlog require more than one message, or can it include just one - which is what I’m after - in which case how can I get an empty backlog?

8

Are the alert defs/notify configs available in text anywhere?

9

The backlog and grace period for your alerts are configured in your alert definition.

If you do not want a backlog, don’t enable it.
If you want a single message in the backlog, enable it and set it to 1.
If you want multiple messages, enable backlog and specify however many you want.

The same principle applies to the grace period.

Alert definitions and notifications are stored within MongoDB, using the web interface is the best (and only supported) method for configuring the alerts. (Excluding interacting with the API directly!)

10

Take this event definition as an example:
image

The above alert notification has no grace period so, every time a message matches the criteria, an alert should be triggered.
The backlog is enabled and set to include 1 message.

If I’m reading the thread correctly, this is what you’re attempting to achieve?

11

Great, that’s what I was expecting from the backlog.

This is my Backlog Item Message (I’ve tried various, this is my current ‘basic’ version) that’s saying there is no backlog:

{if backlog}Last messages accounting for this alert: {foreach backlog message}${message}

{end}{else}
${end}

12

Yep, that’s exactly what I’m trying to achieve and have setup. Nothing fancy!

13

You’re missing a few $ in there… Should look like:

${if backlog}Last messages accounting for this alert: ${foreach backlog message}${message}
${end}${else}
${end}
14

OK, solved it! I had the code in the Backlog Item Message (made sense to me at the time) not the Custom message.

I can press on now, many thanks for your time.

1 Like
15

I’m getting 'com.floreysoft.jmte.message.ParseException: Error while parsing ‘message.index’ at location (5:4): Property ‘index’ on object ‘source:xxxxxxx’ so it doesn’t look like that permalink solution will work for some reason.

16

Can you provide the section of your notification body where you have included it?

Hard to troubleshoot without actually seeing the issue…

17

{if backlog} {foreach backlog message}{
{message.id} {message.message}
{message.index} } {end}{else}<No Message found> {end}

18

Odd, loses the dollars and CRs !
Have replaced dollars with &
&{if backlog}
&{foreach backlog message}{
&{message.id}
&{message.message}
&{message.index}
}
&{end}${else}
&{end}

19

Found the 64 char limit - it’s a default in NXLog. I’ll post here for Google as it wasn’t easy to find. Need to set the ShortMessageLength.

Module xm_gelf ShortMessageLength 1000
20

I’ve been using Exec $short_message = $raw_event; in my nxlog configuration.

As for your notification, looks like you have some additional curly-braces - Unsure if that is what is causing your issue but, I do know that they’re not required.

Try something like the below…

${if backlog}${foreach backlog message}
Message ID: ${message.id}
Message Index: ${message.index}

---  Raw Message  ---
${message.message}
${end}${else}${end}