Notification "Body Template" and input extractors

I have an issue where I’d defined a many different regex expressions for my various messages which I alert on, these field were then inserted into the body of my email alert messages and would provide a better means of determining what information was needed to quickly address various issues on each of our alerts. These are no longer working with the “new” alerting functions… I don’t even see where it is in the new “body template” areas where you can add your extractors from each of your inputs. The documentation on the website doesn’t even reflect the new “notifications” and their correct use. It still shows the old way of manipulating the message yet this isn’t even part of the new release… does anyone have any information pertaining this this issue?

Sorry that I do not understand your question - but you never had defined extractors of inputs in the alert section.

Maybe you can rephrase your question and order your thoughts that someone that ins not in your head can understand it.



Sorry, I know that my issue is a not very clear… before I upgraded to the latest revision of Graylog, my alerts had extracted information coming from the syslog message in which I’d created regex extractors on the input. Once I upgraded, the system “migrated” them to “legacy alarm callbacks”… at this point the messages being sent out of the system still contained my “extracted” information. However, since they’re now deprecated… I’ve changed them to “Email Notification” and it was at this point that all of the information which was being sent with the “legacy alarm callback” is missing. I would like to know what it is that I need to do on my send to have this information inserted into the message once again. The information listed here is not providing me with any answers.

Scott Nerone

Do I get you right that you did not get how to create a new alerting mail template that contain additional information in the email that is send out?

Did you have your old mail template available?

If I get you right - the reason is that you can define in each event what fields you like to get into the event from the original message and all defined fields will be used in the email template to be send out.

This way you define in one place (the condition definition) what is important to know and you can have one single notification that can work with hundreds of conditions because each condition has the needed information added.

Am I right?


Once again, thank you for your response. I spun up a backup of the server with the configuration from the “migrated” template so I could get some screen shots of the way the “alert” verbiage was being sent out. I’ve attached a screen shot of it in this message. What I’m trying to achieve is to have the same info sent in the new style of the alerts… if you could provide some help with that I’d greatly appreciated it. On another note, I signed up for the webex tomorrow for the intro into the new features within Graylog 3.1, I’m not going to be able to make that webex… do you happen to know if that will be posted online somewhere that I can watch at a later time/date?

Scott Nerone


the webinar will be recorded and made available online.

When you register, you’ll get a link.

Sorry I can’t help you as I’m not that deep into the alerting (yet)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.