Use extracted field as email alert recipient


We love graylog, thank you for making it available!!

Have setup an extractor to extract “ad_username” from authentication failures. Now we want to setup an alert for more than X authentication failures in a row, to alert the end user. So, as an alert recipeint, we are trying to use the extracted username, like:

However, the “ad_username” is kept, rather then being replaced by the actual username, so the email is sent to which of course does not work. :slight_smile:

We tried: ${ad_username}, $${$ad_username}, {$ad_username}, etc, all with similar result.

Is what we are trying to do possible? FYI: graylog 2.4 (yes, we need to upgrade)

he @kkplein

such a request is not possible. It would be a feature request over at github. But that will be never get a backport to that version you are using.

Hi Jan,

Aha, not possible now, good to know I’m not missing something. I will submit a feature request, and of course I understand that it would not be ported to our old version. :slight_smile: We have to upgrade anyway, and that is fine. Just haven’t done it yet.

Thanks for the reply!


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.