Hi I have problem with graylog notification. I need filter part of message like :
message: “127.0.0.1:1234 VERIFY error: depth=0, error:somethink: TB=23-sdsdw-2d, dont needed, this”
and I need send e-mail only with “TB=23-sdsdw-2d” information
you need to process that message before the alerting with the processing pipeline.
but in that case I override original message right?
I need dont touch original message
Try to extract TB=xxx from message field to new field for example alert_field. Use regular expression (or GROK) extractor rule, or pipeline for example, or specific (depends on a pattern of original message):
(TB="\S+)
After that use this snippet in notification body to insert extracted field only:
{foreach backlog message}{message.fields.alert_field}${end}
https://docs.graylog.org/en/3.1/pages/extractors.html
https://docs.graylog.org/en/3.1/pages/streams/alerts.html
Thank you very much, finaly it working 
Would it be possible to get one mail with all messages found matching the filter criteria?
Yes, change number of backlog messages in Alerts - Event Definitions - Edit - Notification tab, field Message Backlog.
Thank I already have it, but I dont realyze, message with alert have same source and message that was the proble probably
interesting now, graylog send me 17x mail with one message. no one mail with 17x message
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.