Use extracted field as email alert recipient


We love graylog, thank you for making it available!!

Have setup an extractor to extract “ad_username” from authentication failures. Now we want to setup an alert for more than X authentication failures in a row, to alert the end user. So, as an alert recipeint, we are trying to use the extracted username, like:

However, the “ad_username” is kept, rather then being replaced by the actual username, so the email is sent to which of course does not work. :slight_smile:

We tried: ${ad_username}, $${$ad_username}, {$ad_username}, etc, all with similar result.

Is what we are trying to do possible? FYI: graylog 2.4 (yes, we need to upgrade)

he @kkplein

such a request is not possible. It would be a feature request over at github. But that will be never get a backport to that version you are using.

Hi Jan,

Aha, not possible now, good to know I’m not missing something. I will submit a feature request, and of course I understand that it would not be ported to our old version. :slight_smile: We have to upgrade anyway, and that is fine. Just haven’t done it yet.

Thanks for the reply!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.