Slack notification not containing backlog message fields

Hi All,

I am having an issue with Graylog 5.03 and slack integration.

I have the following working

1. A UDP text input on port 5556 with a json extractor which extracts messages.
2. A event definition and notification with works sending messages to slack
3. I have the backlog set to 1 in the notification.
4. Full message appears in slack channel but with out individual message field

Example test message sent to input as a JSONL string

echo {"classification.identifier": "open-vnc", "classification.taxonomy": "vulnerable", "classification.type": "vulnerable-system", "time.source": "2023-04-24T07:23:33+00:00"} | ncat -u -w 1 <graylog ip> 5556

Here is it parsed

image1247×386 8.64 KB

Here is the notification template

--- [Alert Information] ---------------------------
Title:       
Source:   
Timestamp:  ${event.timestamp}

${if backlog}
${foreach backlog message}
${message.classification_type}
${message.classification.type}
--- [Full Message ] ------------------------------------
${message.message}
${end}
${end}

I have tried both options as the extractor on the input shows where as the parsed event has an underscore rather than a dot.

However in slack I get

I was expecting to see the classification.type field in the slack notification.

Can anyone explain why I am not getting the individual field but do get the full message?

Cheers

Jake

Hey @Magneton

I havent used slack much && i backed off version 5.0 but as for the notifcation template maybe try this.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Backlog messages
${foreach backlog message}
${message.fields.classification_type}
${message.fields.classification.something_else}
${message.message}

Cheers, I will give it a try and let you know

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.