Not able to add custom field in events generated from the event definition

Graylog Central (peer support)
1

Hi All,

I am receiving IIS logs to graylog and I am trying to setup alerts based on the event condition. I am setting iis_Access_Responsecode:>=500 in event filter condition with aggregation group by field as iis_Access_SiteName and if my events count is > than 5 alerts will be triggered.

Before it sents the evenst to stream I am trying to add custom field in events generated from the event definition but however I am getting the below error response in graylog logs.

2019-09-13 09:38:27,583 ERROR   [TemplateFieldValueProvider] - No value found for variable "iis_Access_SiteName" in temp
late "${iis_Access_SiteName}" - {}
2019-09-13 09:39:27,864 ERROR   [TemplateFieldValueProvider] - No value found for variable "iis_Access_SiteName" in temp
late "${iis_Access_SiteName}" - {}

image
image.png1318×372 24 KB

Also from the documentation we couldn’t find exactly where the template is and how did it takes value from the template for the custom field given?

Please correct me if I am doing anything wrong.

Thanks,
Ganeshbabu R

2

We tried giving this syntax in the event field configuration under event definition,

template: “${source.iis_Access_SiteName}”

and custom field (parent_id) is adding to the message like below,

      "fields" : {
        "parent_id" : "techlabs.graylog.co.in"
      }
      "id" : "01DMQ7JCSFFPR4AV92R0",
      "event_definition_type" : "aggregation-v1",
      "event_definition_id" : "5d76470a0026d94693",
      "origin_context" : null,
      "timestamp" : "2019-09-14 06:32:15.855",
      "timestamp_processing" : "2019-09-14 06:32:37.935",
      "timerange_start" : "2019-09-14 06:30:22.462",
      "timerange_end" : "2019-09-14 06:32:22.461",
      "streams" : [
        "000000000000000000000002"
      ],
      "source_streams" : [
        "5d76470a0026d94693""
      ],
      "message" : "IIS_HighVolume_500_ErrorCodes: techlabs.graylog.co.in - count()=3.0",
      "source" : "graylog3-helm-0.svc.cluster.local",
      "key_tuple" : [ ],
      "key" : "",
      "priority" : 2,
      "alert" : false

Please correct me if I am doing anything wrong to the configuration.

Regards,
Ganeshbabu R

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.