Some of the alert fields are empty

sentiblue · July 19, 2021, 2:52pm

Hey guys… I was hoping to find some help on alerts.

I got a graylog server version 4.0.8 installed and accepting inputs good.
I’ve configured an alert tempalte as below

##########
Description: ${check_result.resultDescription}
Date: ${check_result.triggeredAt}
Stream: ${stream.title}
Stream description: ${stream.description}
Condition: ${alertCondition.title}
${if stream_url}Stream URL: ${stream_url}${end}

Trigger: ${check_result.triggeredCondition}
##########

${if backlog}Last messages accounting for this alert:
${foreach backlog message}${message}

${end}${else}<No backlog>
${end}

The alerts come out with all the header fields empty. The only thing that shows correctly in an email is the message and any backlogs (stuffs after the #####).

##########
Description:
Date:
Stream:
Stream description:
Condition:

Trigger:
##########

The subject is formatted as
Graylog alert for stream: ${stream.title}: ${check_result.resultDescription}

Which also came out blank as
Graylog alert for stream: :

Where did I go wrong guys?

shoothub · July 20, 2021, 7:41am

I don’t know where do you get fields names like check_result and so on? Are there a custom event fields?

Or normal fields which you created using extractors or pipeline rules? Is so, you need to use this syntax (replace src_ip with your field name), you need to use foreach loop to get field value:
${foreach backlog message}${message.fields.src_ip}${end}

Default email template uses pre-defined fields:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

Their description you can find in docs:
https://docs.graylog.org/en/4.0/pages/alerts.html#data-available-to-notifications

sentiblue · July 20, 2021, 4:24pm

Thanks for your reply!
Apparently I made a very rookie mistake. I copied the alert configuration from an older installation from a different site which had a different version and different syntax.

I’ve used the syntax you showed above and it worked out just fine. You’re awesome!

system · August 3, 2021, 4:24pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with create alerts Graylog Central (peer support)	10	5875	October 1, 2017
Graylog > Alerts > Conditions not registering any alerts at all Graylog Central (peer support)	7	2020	August 24, 2018
Include Fields In Email Callback Graylog Central (peer support)	4	4419	October 24, 2017
Including message content into alert notification email Graylog Central (peer support)	3	7706	September 22, 2017
Graylog notifications - Email body trouble Graylog Central (peer support)	3	987	April 3, 2019

Some of the alert fields are empty

Related Topics