I can’t find the exact solution to my problem so I create a new topic, I am sorry if it is duplicated.
I want to display specific fields and its keys in the notification email so I enabled blacklog in the event setting and add the following in the blacklog section of the notification configuration:
I’ve consulted the official reference but I still don’t get the correct syntax. So I tried the following:
You have to setup number of backlog to 1: in Alerts - Event Definitions - tab Notifications and field Message Backlog, tick the checkbox and set 1.
Message backlog define number of messages to be included in Notifications.
If you want device source included in notification message use: ${foreach backlog message}${message.source}${end}
If you want to use user field (for example: srcip) use {$message.fields.srcip} : ${foreach backlog message}${message.fields.src_ip}${end}
For example I use this message text after somebody connect to switch: {foreach backlog message} Source device: {message.source} Username: {message.fields.username} IP: {message.fields.srcip} ${end}
You can also use same technique in message subject, for example I use this: User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
Please help.