Message Templates and Variables

Humio uses message templates to create the messages sent by Actions. They currently apply to Slack, Email and Webhooks Action. The template engine is a simple “search/replace” model, where the {_} marked placeholders are replaced with context-aware variables.

See the list for an explanation of the placeholders:

Placeholders

Description

{field:$FIELD_NAME}

Extracts the value of $FIELD_NAME from the field in the first event from the trigger. Put field names with spaces in double quotes, {fieldMy Field}.

{field_raw:$FIELD_NAME}

Extracts the value of $FIELD_NAME from the field in the first event from the trigger without JSON escaping it. Put field names with spaces in double quotes, {field_rawMy Field}.

{name}, {alert_name}

The user-made name of the trigger.

{description}, {alert_description}

A user-made description of the trigger.

{triggered_timestamp}, {alert_triggered_timestamp}

The time at which the trigger was triggered, formatted as ISO 8601.

{id}, {alert_id}

The id of the trigger.

{action_id}, {alert_notifier_id}

The id of the Action used to deliver this message.

{event_count}

The number of events from the trigger.

{url}

A URL to open Humio with the trigger’s query.

{query_result_summary}

Events encoded as a string.

{query_string}

The query of the trigger.

{query_time_start}

The specified query start time (e.g. 10m).

{query_time_end}

The specified query end time (e.g. now).

{query_time_interval}

The specified time interval for the Alert’s query (e.g. 10m -> now).

{query_start_ms}

The actual query start time as Unix Time in milliseconds.

{query_end_ms}

The actual query end time as Unix Time in milliseconds.

{warnings}

Any warnings that were generated by the query. Note that by default, triggers will not trigger if there are warnings from the query, see Alert Throttling and Scheduled Search.

{repo_name}

The name of the repository in which the query was executed.

{events_str}

Events encoded as a string.

{events}

Events encoded as a JSON array of event objects.

{events_html}

Events encoded as an HTML table inside <table> tags.<br/>All fields from all events are shown as columns. The columns are ordered by the order the fields are encountered, starting with the fields from the first event. If you want fewer fields, remove them in the Alert query using e.g. table(), select() or drop(). You can also specify the order of the fields using table() or select().

{schedule}

The cron schedule which the triggering search was executed according to. Only applicable when triggered by a Scheduled Search.

{time_zone}

The time zone that the triggering search is performed within. Only applicable when triggered by a Scheduled Search.

In the above table, some placeholders, like {alert_id} and {id}, evaluate to the same value. This is, however, only the case when running Humio version 1.19 or later. For earlier versions, only the variant with the alert_ prefix will work.

Note

Be aware that for placeholders which evaluate to some formatted version of the query result, like {query_result_summary}, {events_str}, {events} and {events_html}, you will per default receive a maximum of 200 events. This maximum is also applied to {event_count}. If you want a larger part of the query result in your message, you can append your query with | tail(x), where x is the number of events you wish to receive. You can also use {url} to include a link to run the search in Humio, where it is possible to view the full query result.

It is also possible to use these placeholders in the name and description fields of your trigger. This is useful, if you want to use the same Action for multiple triggers, and you want different templates for the different triggers. As an example, you can use different {field:$FIELD_NAME} placeholders in the name for the triggers to extract the value of different fields, and then use {name}/{alert_name} in the Action to get the trigger names with the placeholders replaced.

You can also use this feature to save yourself from having to write near-identical triggers, if you use an Action where you cannot specify the message template. This is currently the Actions OpsGenie, PagerDuty and VictorOps. These all use the trigger name as part of the message. Also, the default email subject and email template for the Email Action uses the trigger name.

Note

The {field:$FIELD_NAME} placeholder will only extract the value of the field from the first event from the trigger.