Some of the alert fields are empty

sentiblue · July 19, 2021, 2:52pm

Hey guys… I was hoping to find some help on alerts.

I got a graylog server version 4.0.8 installed and accepting inputs good.
I’ve configured an alert tempalte as below

##########
Description: ${check_result.resultDescription}
Date: ${check_result.triggeredAt}
Stream: ${stream.title}
Stream description: ${stream.description}
Condition: ${alertCondition.title}
${if stream_url}Stream URL: ${stream_url}${end}

Trigger: ${check_result.triggeredCondition}
##########

${if backlog}Last messages accounting for this alert:
${foreach backlog message}${message}

${end}${else}<No backlog>
${end}

The alerts come out with all the header fields empty. The only thing that shows correctly in an email is the message and any backlogs (stuffs after the #####).

##########
Description:
Date:
Stream:
Stream description:
Condition:

Trigger:
##########

The subject is formatted as
Graylog alert for stream: ${stream.title}: ${check_result.resultDescription}

Which also came out blank as
Graylog alert for stream: :

Where did I go wrong guys?

shoothub · July 20, 2021, 7:41am

I don’t know where do you get fields names like check_result and so on? Are there a custom event fields?

Or normal fields which you created using extractors or pipeline rules? Is so, you need to use this syntax (replace src_ip with your field name), you need to use foreach loop to get field value:
${foreach backlog message}${message.fields.src_ip}${end}

Default email template uses pre-defined fields:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

Their description you can find in docs:
https://docs.graylog.org/en/4.0/pages/alerts.html#data-available-to-notifications

sentiblue · July 20, 2021, 4:24pm

Thanks for your reply!
Apparently I made a very rookie mistake. I copied the alert configuration from an older installation from a different site which had a different version and different syntax.

I’ve used the syntax you showed above and it worked out just fine. You’re awesome!

Topic		Replies	Views
${message.message} not working in the alert template Graylog Central (peer support)	17	6279	October 2, 2018
Problem with create alerts Graylog Central (peer support)	10	5904	October 1, 2017
Include Fields In Email Callback Graylog Central (peer support)	4	4453	October 24, 2017
Graylog notifications - Email body trouble Graylog Central (peer support)	3	1027	April 3, 2019
Including message content into alert notification email Graylog Central (peer support)	3	7783	September 22, 2017

Some of the alert fields are empty

Related topics