Message Templates and Variables

Security Requirements and Controls

LogScale uses message templates to create the messages sent by actions. They currently apply to Action Type: Email, Action Type: OpsGenie, Action Type: PagerDuty, Action Type: Slack, Action Type: VictorOps (Splunk On-Call) and Action Type: Webhooks. The template engine is a simple "search/replace" model, where the {_} marked placeholders are replaced with context-aware variables.

See the list for an explanation of the placeholders:

Placeholders Description
{field:FIELD_NAME} Extracts the value of FIELD_NAME from the field in the first event from the trigger. Put field names with spaces in double quotes, {field:"My Field"}.
{field_raw:FIELD_NAME} Extracts the value of FIELD_NAME from the field in the first event from the trigger without JSON escaping it. Put field names with spaces in double quotes, {field_raw:"My Field"}.
{name}, {alert_name} The user-made name of the trigger.
{description}, {alert_description} A user-made description of the trigger.
{triggered_timestamp}, {alert_triggered_timestamp} The time at which the trigger was triggered, formatted as ISO 8601.
{id}, {alert_id} The id of the trigger.
{action_id}, {alert_notifier_id} The id of the Action used to deliver this message.
{action_invocation_id} Unique id for the invocation of the action, which can be correlated with the activity logs.
{event_count} The number of events from the trigger.
{url} A URL to open LogScale with the trigger's query.
{query_result_summary} {events_str} Events encoded as a string.
{query_string} The query of the trigger.
{query_start_s} The actual query start time as Unix Time in seconds with 3 decimals.
{query_end_s} The actual query end time as Unix Time in seconds with 3 decimals.
{query_time_start} The specified query start time (e.g. 10m).
{query_time_end} The specified query end time (e.g. now).
{query_time_interval} The specified time interval for the trigger's query (e.g. 10m -> now).
{query_start_ms} The actual query start time as Unix Time in milliseconds.
{query_end_ms} The actual query end time as Unix Time in milliseconds.
{query_start_datetime} The actual query start time formatted as ISO 8601.
{query_end_datetime} The actual query end time formatted as ISO 8601.
{warnings} Any warnings that were generated by the query.
{repo_name} The name of the repository in which the query was executed.
{events} Events encoded as a JSON array of event objects.
{events_html} Events encoded as an HTML table inside <table> tags. All fields from all events are shown as columns. The columns are ordered by the order the fields are encountered, starting with the fields from the first event. If you want fewer fields, in Standard Alerts or Scheduled Search queries you can remove them using functions such as table(), select() or drop(). You can also specify the order of the fields using table() or select() functions. in Filter Alert queries you cannot use table()); @id and @ingesttimestamp fields cannot be removed.
{schedule} The cron schedule which the triggering search was executed according to. Only applicable when triggered by a Scheduled Searches.
{time_zone} The time zone that the triggering search is performed within. Only applicable when triggered by a Scheduled Searches.
{trigger_type} Can either be 'Standard Alert', 'Filter Alert', or 'Scheduled Search' depending on which triggered the action.

In the above table, some placeholders, like {alert_id} and {id}, evaluate to the same value.

Note

Be aware that for placeholders which evaluate to some formatted version of the query result, like {query_result_summary}, {events_str}, {events} and {events_html}, you will by default receive a maximum of 200 events. This maximum is also applied to {event_count}. If you want a larger part of the query result in your message, you can append your query with | tail(x), where x is the number of events you wish to receive. You can also use {url} to include a link to run the search in LogScale, where it is possible to view the full query result.

It is also possible to use these placeholders in the name and description fields of your trigger. This is useful, if you want to use the same Action for multiple triggers, and you want different templates for the different triggers. As an example, you can use different {field:FIELD_NAME} placeholders in the name for the triggers to extract the value of different fields, and then use {name}/{alert_name} in the Action to get the trigger names with the placeholders replaced.

You can also use this feature to save yourself from having to write near-identical triggers, if you use an Action where you cannot specify the message template. This is currently the Actions Action Type: OpsGenie, Action Type: PagerDuty and Action Type: VictorOps (Splunk On-Call). These all use the trigger name as part of the message. Also, the default email subject and email template for the Action Type: Email Action uses the trigger name.

Note

The {field:FIELD_NAME} placeholder will only extract the value of the field from the first event from the trigger.

Formatting Messages

Messages can be formatted within the message template using HTML tags. This is especially helpful when building email messages where clients are capable of receiving and displaying HTML content in it's formatted form.

Without using HTML, messages can be displayed as a single line of information. For example, the template:

Summary: LogScale inbound robust alert ticket demo

Full alert description:
     Timestamp: {triggered_timestamp}
     Repository: {repo_name}
     Alert name: {name}
     Description: {description}
     Alert link: {url}

Even though the source material has newlines, in an email client this may be displayed as a single line:

Summary: LogScale inbound robust alert ticket demo  Full alert description:     Timestamp: {triggered_timestamp}     Repository: {repo_name}     Alert name: {name}     Description: {description}     Alert link: {url}

To convert to HTML, set the Message body template to the following HTML alternative:

<html>
<body>
<h2>Summary: LogScale inbound robust alert ticket demo </h3>
<h3>Full alert description: </h3>
<p>
Timestamp: {triggered_timestamp} <br>
Repository: {repo_name} <br>
Alert name: {name} <br>
Description: {description} <br>
Alert link: <a href="{url}">LogScale Alert Link</a> <br>
</p>
</body>
</html>

The paragraph and manual line breaks, using <br> will be honored.

The use of <br> as a manual line break will work in most message templates.