Inserting Variables into Notifications

Graylog Central (peer support)
1

Most of my Graylog notifications just use the default template, which includes:

$${if backlog}Last messages accounting for this alert:
$${foreach backlog message}$${message}
$${end}$${else}
<No backlog>
${end}

I’d like to add a few other variables at the top of the email, for example:

Message received at: $timestamp
Source of alert: $source
Full text: $message

Why doesn’t this work? How come only $message is valid but $source and $timestamp don’t work? When I look at a log entry in Graylog these messages have all three, plus I use extractors and have tons of other variables I’d like to eventually use in these emails… so how do I reference them?

Thanks in advance

2

those would work only in the loop like explained in the doc: http://docs.graylog.org/en/2.4/pages/streams/alerts.html#email-alert-notification

$${if backlog}Last messages accounting for this alert:
$${foreach backlog message}
Message received at: $${$message.timestamp}
Source of alert: $${$message.source}
Full text: $${$message}
$${end}$${else}
&lt;No backlog&gt;
${end}

Something similar should work (it is untested!)

3

Hi Jan, I played around with this but still haven’t had any luck.

When I add this to my alert:

${message.fields}

It sends a full list of all the fields involved within messages, below is a bit of what it lists:

{fw_proto=6, fw_name=Packet accepted, gl2_remote_ip=192.168.1.6, gl2_remote_port=56396, fw_srcport=61592, fw_outitf=eth8, fw_dstip_geolocation=37.751,-97.822, source=192.168.1.6, fw_fwrule=130, fw_srcmac=90:e2:ba:4f:48:29, gl2_source_input=5addddcd2bf9e640243a3ba4,
.
.

Now I can reference a few of those fields, such as source, like this:
${message.source}

But when I try to reference the other fields that are listed there, such as:
${message.fw_proto}

I get an error from Graylog: “java.lang.NoSuchFieldException: fw_proto”… Note this field was created by an extractor…

I have tried all kinds of ways to reference these extracted fields such as using double $$ and $${$ like in your message but have not had any luck. Can you confirm the exact format I need?

4

The message.fields fields can be useful to get access to arbitrary fields that are defined in the message. For example message.fields.full_message would return the full_message of a GELF message.

from the docs

1 Like
5

message.fields works and confirms which fields I have: see above. It confirms one of my fields is called “fw_proto”, another is called “fw_scrip”, etc. These fields are created by one of my extractors.

However, I cannot reference these fields in my alerts, no matter how I format it, I have tried:

${message.fw_proto}
$${message.fw_proto}
$${$message.fw_proto}

etc… None of these formats work, so I am looking for clarification. Note, these two do work:

{message.timestamp} {message.source}

Therefore you would think that $${message.fw_proto} or $${message.fw_srcip} would work, but it doesn’t. Do you know why? Any suggestions what else I can try?

edit: note the forums are removing some of the $ signs

6

use

message.fields.fw_proto

as written in the docs to access a special field.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.