Notification template split by char or replace string function

Hi.

I am using graylog 2.5.1 and having an issue with the alerts notifications. (I can’t upgrade at the momment)

${if backlog}Last messages accounting for this alert:
${foreach backlog message}${message}

${end}${else}<No backlog>
${end}

The $message is a long json field comming from traefik and it is printed inside the notification as a very very long and ugly string.
Since graylog is showing the json fields separated by a pipe (|) I am wondering if there is any way to replace the pipe with a newline in order to make it easy to read.
As far as I could read the templating engine is based on jmte but I can’t find any string manipulation functions.

There is any way to archieve that?

Thanks for any help! :slight_smile:

Example of the $message string:

source: ip-172-31-88-157.eu-west-1.compute.internal | message: REQUEST:HttpRequest(HttpMethod(GET),http://www.domain.com/plus/1421600/download-report,List(Timeout-Access: , Remote-Address: 172.31.93.159:58414, Host: www.domain.com, X-Real-Ip: 145.1.220. […] { input_stream: gelf_tcp | k8s_labels_app-api-ver: api-v5.0.18 | gl2_remote_ip: 172.31.92.128 | gl2_remote_port: 4196 | k8s_labels_stack_name: prod | gl2_source_input: 59dc89fee8c3e819f0b926bd | k8s_labels_app-base-web-ver: master | k8s_labels_apprelease-time: 20220706105457 | k8s_container_name: site-www-yin-website-k8s-apiv2-6c5685864b-5zmjt | k8s_labels_tag: apiv2 | k8s_labels_stack_config: prod | gl2_source_node: cae84269-e5c2-429d-a8b0-7b099bb3d9b8 | logger_name: com.domain.infrastructure.http.domain$ | k8s_namespace_name: ci | timestamp: 2022-07-11T09:25:09.659Z | level: 3 | streams: [000000000000000000000001, 5e29b59eac34370044fd31a2, 6287931889bc44003cd04381] | k8s_labels_app-base-api-ver: master | k8s_pod_name: site-www-yin-website-k8s-apiv2-6c5685864b-5zmjt | k8s_labels_appname: website-k8s-apiv2 | k8s_labels_appinstance: site-www-yin | k8s_labels_app-web-ver: v4.13.5 | level_name: ERROR | full_message: REQUEST: […]

Hello,

If the notification template is grabbing data from the “message” field it will look like that.
For making it neat, perhaps only use the fields you want.

Example:

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User:              ${message.fields.TargetUserName}
WorkStation Name:  ${message.fields.WorkstationName}
Event Time:        ${message.fields.EventReceivedTime}
Source:            ${message.source}
Logon Type:        ${message.LogonType}
Message Link to the Alert: https://graylog.domain.com:9000/messages/${message.index}/${message.id}

${end}
${end}

Thanks a lot GSmith.

It works but I found some glitch
My template does not includes any ‘index’ mention as you can see below, but I got some errors while rendering the notification email.
Do you know how to avoid this without skipping the notification of the email producing this error?

graylog error

The Graylog server encountered an error while trying to send an email. This is the detailed error message: com.floreysoft.jmte.message.ParseException: Error while parsing ‘message.index’ at location (17:59): Property ‘index’ on object ‘source: REDACTED| message: REQUEST:HttpRequest(HttpMethod(GET),http://REDACTED,List(Timeout-Access: , Remote-Address: REDACTED:46658, Accept: application/json, text/pla (…) { input_stream: gelf_tcp | k8s_labels_app-api-ver: REDACTED | gl2_remote_ip: REDACTED | gl2_remote_port: 16566 | k8s_labels_stack_name: prod | gl2_source_input: 59dc89fee8c3e819f0b926bd | k8s_labels_app-base-web-ver: master | k8s_labels_apprelease-time: 20220711180459 | k8s_container_name: REDACTED | k8s_labels_tag: apiv2 | k8s_labels_stack_config: prod | gl2_source_node: cae84269-e5c2-429d-a8b0-7b099bb3d9b8 | logger_name: REDACTED$ | k8s_namespace_name: ci | timestamp: 2022-07-12T08:39:00.570Z | level: 3 | streams: [000000000000000000000001, 5e29b59eac34370044fd31a2, 6287931889bc44003cd04381] | k8s_labels_app-base-api-ver: master | k8s_pod_name: REDACTED | k8s_labels_appname: REDACTED | k8s_labels_appinstance:REDACTED | k8s_labels_app-web-ver: v4.13.6 | level_name: ERROR | full_message: REQUEST: HttpRequest(HttpMethod(GET),http://REDACTED,List(Timeout-Access: , Remote-Address: REDACTED:46658, Accept: application/json, text/plain, /, Connection: keep-alive, Host: REDACTED:9001, User-Agent: Mozilla/5.0 (Linux x64) REDACTED),HttpEntity.Strict(none/none,ByteString()),HttpProtocol(HTTP/1.1)) REQUEST-ENTITY: RESPONSE: Complete(HttpResponse(500 Internal Server Error,List(),HttpEntity.Strict(application/json,{“error”:“generic_error”}),HttpProtocol(HTTP/1.1))) | thread_name: trovimap-gateway-akka.actor.default-dispatcher-12 | _id: 13c90ab2-01be-11ed-881c-f6e60414bcca }’ can not be accessed: “java.lang.NoSuchFieldException: index”!

#/tmp/template

Not sure,

Lets see what you have in the Full Notification template that being used.

I’m not 100% sure but it might be the type of email template your using.

Hi again,

Sorry, I overlooked, the error came from another notification message:
The error came, surprisingly, from the line:

${foreach backlog message}

Origin message: https://graylog.domain.com:9000/messages/${message.index}/${message.id}

[…]
${end}

It is inside the loop so I expected .index always exist. Seems weird to me it is not there.

Should not exist always $message.index inside the loop?

We’re using Graylog 2.5.1, but I can’t check upgrading it at this moment because we are in the middle of big migrations.

So your copying and pasting :thinking: That message LINK may not work on your version.

That was an example you need to replace those fields with your own fields.

Try looking at this documentation

https://archivedocs.graylog.org/en/2.5/pages/streams/alerts.html#notifications

I have GL version 4.3 but that message link did work in version 3.3. But if you noticed I’m using a FQDN, if your not using that I would replace it with the IP address. Just a thought

EXAMPLE:

seems I will have to upgrade as soon as possible.
and looking the changes among versions probably will be easier just install and configure the latest version. :-/

Hello,

In one of our environments we do have Graylog 2.4. I almost 100% certain the other Admin did use Message URL/Link. He is not working today but first thing on Monday I can ask him. Upgrading would be good for security reason but this would depend on how your environment is set up. Most of our older versions of Graylog is NOT exposed to the internet so we don’t have a problem with that. Please be mindful and look at the change logs for different Graylog versions below. There has been a few changes from 2.4 → 4.3 and perhaps some function that may work any more.

Yep, that’s why I told to install 4.3.3 from scratch instead to go through all the upgrades from 2.5.1 to 4.3.3. Too many things to take in care and too much work.

Hello,

Just an FYI, had to upgrade our GL 2.4 and as you stated we installed a fresh version of GL 4.3, BUT we installed the same version of MongoDb on the new version of GL 4.3. To keep all the settings we execute a mongo dump and SCP to the new server. It took a minute for Graylog to update the mongo Database ( graylog) but was able to keep 90% of our settings created. Some of the isssue were the notification and authentication settings which needed to be re-configured but most everything else was good.

1 Like

Great to know. I will have a try to this workaround. :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.