Hi,
I’m working on a server like this:
Graylog 4.0.5+d95b909 (Debian 11.0.9.1 on Linux 4.19.0-14-amd64)
for a customer, which has some demands.
Is there any way to remove that piece of string (“count() ==”) that comes attached to notifications’ object when using Filter & Aggregation with Aggregation of results reaches a threshold?
I’m mostly referring to situations like
“if count() == 1”
or, maybe
“count() > 1 AND count() < 5”
Thanks
Please send extract from notification, where it is. Is it in message of notification or subject?
Hi @shoothub ,
yes sorry, I meant in the subject, not the object.
It comes out something like
Subject: Title of the notification count()==1
Body:
body
of
the
notification
The Subject of notification si based on field subject field defined in notification. By default it has value: Graylog event notification: ${event_definition_title}. Try to change it to resired subject.
Anyway, if you want to use source field in subject, you can use {$message.source} :
${foreach backlog message}${message.source}${end}
If you want to use user field (for example: src_ip) use {$message.fields.src_ip}:
${foreach backlog message}${message.fields.src_ip}${end}
For example I use this subject after somebody connect to switch:
User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
Hi,
the default, copypasted, subject in all custom notifications is
${event.message}
and this is the one that gets the count() == 1 part whenever i set the message count.
Any ideas?
Thanks
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.