Message Templates and Variables
LogScale uses message templates to create the messages sent by actions.
They currently apply to the Slack,
Email and
Webhooks types. Furthermore, the
name and description fields of alerts and scheduled searches can also
include message templates. The template engine is a simple
"search/replace" model, where the
{_} marked placeholders are
replaced with context-aware variables.
See the list for an explanation of the placeholders:
| Placeholders | Description |
|---|---|
{field:$FIELD_NAME}
|
Extracts the value of
$FIELD_NAME from the field
in the first event from the trigger. Put field names with spaces
in double quotes, {field:"My
Field"}.
|
{field_raw:$FIELD_NAME}
|
Extracts the value of
$FIELD_NAME from the field
in the first event from the trigger without JSON escaping it.
Put field names with spaces in double quotes,
{field_raw:"My Field"}.
|
{name},
{alert_name}
| The user-made name of the trigger. |
{description},
{alert_description}
| A user-made description of the trigger. |
{triggered_timestamp},
{alert_triggered_timestamp}
| The time at which the trigger was triggered, formatted as ISO 8601. |
{id},
{alert_id}
| The id of the trigger. |
{action_id},
{alert_notifier_id}
| The id of the Action used to deliver this message. |
{event_count}
| The number of events from the trigger. |
{url}
| A URL to open LogScale with the trigger's query. |
{query_result_summary}
| Events encoded as a string. |
{query_string}
| The query of the trigger. |
{query_start_s}
| The actual query start time as Unix Time in seconds with 3 decimals. |
{query_end_s}
| The actual query end time as Unix Time in seconds with 3 decimals. |
{query_time_start}
| The specified query start time (e.g. 10m). |
{query_time_end}
| The specified query end time (e.g. now). |
{query_time_interval}
| The specified time interval for the Alert's query (e.g. 10m -> now). |
{query_start_ms}
| The actual query start time as Unix Time in milliseconds. |
{query_end_ms}
| The actual query end time as Unix Time in milliseconds. |
{query_start_datetime}
| The actual query start time formatted as ISO 8601. |
{query_end_datetime}
| The actual query end time formatted as ISO 8601. |
{warnings}
| Any warnings that were generated by the query. Note that by default, triggers will not trigger if there are warnings from the query, see Setting Alert Throttle Periods and Scheduled Searches. |
{repo_name}
| The name of the repository in which the query was executed. |
{events_str}
| Events encoded as a string. |
{events}
| Events encoded as a JSON array of event objects. |
{events_html}
|
Events encoded as an HTML table inside <table> tags. All
fields from all events are shown as columns. The columns are
ordered by the order the fields are encountered, starting with
the fields from the first event. If you want fewer fields,
remove them in the Alert query using e.g.
table(), select() or
drop() You can also specify the order of
the fields using table() or
select()
|
{schedule}
| The cron schedule which the triggering search was executed according to. Only applicable when triggered by a Scheduled Searches. |
{time_zone}
| The time zone that the triggering search is performed within. Only applicable when triggered by a Scheduled Searches. |
{trigger_type}
| Can either be 'Alert' or 'Scheduled Search' depending on which triggered the action. |
In the above table, some placeholders, like
{alert_id} and
{id}, evaluate to the same value.
This is, however, only the case when running LogScale version 1.19 or
later. For earlier versions, only the variant with the
alert_ prefix will work.
Note
Be aware that for placeholders which evaluate to some formatted
version of the query result, like
{query_result_summary},
{events_str},
{events} and
{events_html}, you will by
default receive a maximum of 200 events. This maximum is also applied
to {event_count}. If you want a
larger part of the query result in your message, you can append your
query with | tail(x), wher
x is the number of events you
wish to receive. You can also use
{url} to include a link to run
the search in LogScale, where it is possible to view the full query
result.
It is also possible to use these placeholders in the
name and
description fields of your
trigger. This is useful, if you want to use the same Action for multiple
triggers, and you want different templates for the different triggers.
As an example, you can use different
{field:$FIELD_NAME} placeholders
in the name for the triggers to extract the value of different fields,
and then use
{name}/{alert_name}
in the Action to get the trigger names with the placeholders replaced.
You can also use this feature to save yourself from having to write near-identical triggers, if you use an Action where you cannot specify the message template. This is currently the Actions OpsGenie, PagerDuty and VictorOps (Splunk On-Call). These all use the trigger name as part of the message. Also, the default email subject and email template for the Email Action uses the trigger name.
Note
The {field:$FIELD_NAME}
placeholder will only extract the value of the field from the
first event from the trigger.