Loop over backlog in Notification body

frantz · February 25, 2022, 4:19pm

Hello,

I try to get a notification like:
{“src_ip”: [“1.1.1.1”, “2.2.2.2”, “3.3.3.3”], “dest_ip”: [“1.2.3.4”]}

I try to loop over backlog but I have 2 issues:

Firstly we can only loop over logs (messages) and not on a specific field.
For example I can’t loop over src_ip, I could only get something like {“messages”: [{“src_ip”: “1.1.1.1”, “dest_ip”: “1.2.3.4”}, {“src_ip”: “2.2.2.2”, “dest_ip”: “1.2.3.4”}]}
I would expect to loop as:
{“src_ip”: ${foreach backlog.message.fields.src_ip ip}"${ip}"${end}, }

Secondly I can’t remove the last coma in a loop.
${if backlog}{“messages”: [${foreach backlog message}{“src_ip”: ${message.fields.src_ip}${end}, ]}${end}
It would produce something like:
{“messages”: [{“src_ip”: “1.1.1.1”}, {“src_ip”: “2.2.2.2”}, ]}
You notice the last coma breaking the JSON format.

Do I miss something ?
I don’t find any documentaion on the notification language (if, foreach…)

gsmith · February 26, 2022, 12:45am

Hello,

Perhaps something here may help.

Alerts — Graylog 3.2.0 documentation

frantz · February 28, 2022, 10:00am

The documentation is incomplete. It only gives some examples, but it doesn’t explain the language in details.

gsmith · February 28, 2022, 11:37pm

Hello,

From the documentation linked above I noticed this.

From this section here

As for how the language is explained in detail, not sure.

I might be able to give some examples but its hard to read your post above, perhaps using the markdown language would help and a example of what you trying to achieve would be great

frantz · March 8, 2022, 12:57pm

Thank you for pointing to this documentation.
The page Java Minimal Template Engine explains all the possibility offered by this language.
I’m now able to fix my second issue: I can remove the last coma thanks to the special variable ${if last_item}.

So the last problem is I can’t loop over a specific field in the backlog such as:
{"src_ip": [${foreach backlog.fields.src_ip ip}"${ip}" ,${end}]}
which would produce something like:
{"src_ip": ["1.1.1.1", "2.2.2.2", "3.3.3.3"]}

Maybe something like this could work:

{
	"src_ip": [
		${foreach backlog log}
			${foreach log.fields field}
				${if field.key=src_ip}
					${if last_field}
						"${field.src_ip}"
					${else}
						"${field.src_ip}" ,
					${end}
				${end}
			${end}
		${end}
	],
	"dest_ip": [
		${foreach backlog log}
			${foreach log.fields field}
				${if field.key=dest_ip}
					${if last_field}
						"${field.dest_ip}"
					${else}
						"${field.dest_ip}" ,
					${end}
				${end}
			${end}
		${end}
	]
}

frantz · March 8, 2022, 4:07pm

It’s not very efficient but it works:

{
    	"src_ip": [
    		${foreach backlog log}
    			${foreach log.fields field}
    				${if field.key=src_ip}
    					${if last_log}
    						"${field.value}"
    					${else}
    						"${field.value}" ,
    					${end}
    				${end}
    			${end}
    		${end}
    	],
    	"dest_ip": [
    		${foreach backlog log}
    			${foreach log.fields field}
    				${if field.key=dest_ip}
    					${if last_log}
    						"${field.value}"
    					${else}
    						"${field.value}", 
    					${end}
    				${end}
    			${end}
    		${end}
    	]
    }

system · March 22, 2022, 4:08pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to loop out src and dst in email notifications Graylog Central (peer support) alert	2	267	August 4, 2023
Notification email backlog blank despite enabled Graylog Central (peer support)	3	2444	September 14, 2020
Graylog notifications - Email body trouble Graylog Central (peer support)	3	995	April 3, 2019
Events fields & notifications Graylog Central (peer support)	2	2584	February 20, 2020
Graylog 4.0.6 Event Notification not working properly Graylog Central (peer support)	5	1699	May 6, 2021

Loop over backlog in Notification body

Related topics