Alert Variables
Variables are used as parameters that allow you to customize the JSON payload object of your alert notifications. These variables dynamically populate specific values from the alert configuration in the notification payload. For example, the {{TriggerType}}
variable provides the current monitor status in the notification. When a notification is sent, the variables are replaced with values from the alert. For instance, if you specify {{Name}}
in your JSON payload, it will be replaced with the actual name of the alert in the delivered payload.
Common variables for alerts
You can use the following built-in variables when specifying the notification payload for log and metric monitors and Scheduled Searches. They allow you to reference specific configurations of your monitor.
The table below lists the variable descriptions along with which areas of the product you can use them.
Variables must be enclosed by double curly brackets ({{ }}
). Unresolved variables are given empty quotes ""
as a value. All variables are case-insensitive.
Variable | Description | Monitors | Scheduled Searches |
---|---|---|---|
{{Name}} | The name of the alert. In the delivered payload, this variable is replaced with the Name you assigned to the alert when you created it. | ✅ | ✅ |
{{Description}} | The description of the alert. | ✅ | ✅ |
{{MonitorType}} | The type of alert, either Logs or Metrics . | ✅ | ✅ |
{{Query}} | The query used to run the alert. | ✅ | ✅ |
{{QueryURL}} | The URL to the logs or metrics query within Sumo Logic. | ✅ | ✅ |
{{ResultsJson}} | JSON object containing the query results that triggered the alert. A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook. | ✅ | ✅ Not available with Email notifications |
{{ResultsJson.fieldName}} | The value of the specified field name. For example, the payload specification {{ResultsJson.client_ip}} had {{ResultsJson.errors}} errors would result in a subject line like this: 70.69.152.165 had 391 errors .A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook. A field name must match (case-insensitive) the field from your search and must be alphanumeric characters, underscores, and spaces. If you have a field name that has an unsupported character, use the as operator to rename it.You can return a specific result by providing an array index value in bracket notation such as {{ResultsJson.fieldName}}[0] to return the first result.Reserved Fields The following are reserved field names. They are generated by Sumo Logic during collection or search operations.
| ✅ | ✅ Email notifications only return the first result. |
{{NumQueryResults}} | The number of results the query returned. Results can be raw messages, time-series, or aggregates. An aggregate query returns the number of aggregate results; displayed in the Aggregates tab of the Search page. A non-aggregate query returns the number of raw results; displayed in the Messages tab of the Log Search page. | ✅ | ✅ |
{{Id}} | The unique identifier of the monitor or search that triggered the alert. For example, 00000000000468D5 . | ✅ | ✅ |
{{DetectionMethod}} | This is the type of Detection Method used to detect alerts. Values are based on static or outlier triggers and data type, either logs or metrics. The value will be either LogsStaticCondition , MetricsStaticCondition , LogsOutlierCondition , MetricsOutlierCondition , LogsMissingDataCondition , MetricsMissingDataCondition , or StaticCondition (deprecated). | ✅ | ✅ |
{{SloDashboardUrl}} | The URL to the SLO dashboard. | ✅ | ✅ |
{{TriggerType}} | The status of the alert or recovery. Alert will have either Normal , Critical , Warning , or Missing Data . Recovery will have either ResolvedCritical , ResolvedWarning , or ResolvedMissingData . | ✅ | ❌ |
{{TriggerTimeRange}} | The time range of the query that triggered the alert. For example, 07/13/2021 03:21:32 PM UTC to 07/13/2021 03:36:32 PM UTC | ✅ | ✅ |
{{TriggerCondition}} | The condition that triggered the alert. For example, Greater than or equal to 1.0 in the last 15 minutes | ✅ | ✅ |
{{TriggerValue}} | The value that triggered the alert. | ✅ | ✅ |
{{TriggerTimeStart}} | The start time of the time range that triggered the monitor in Unix format. For example, 1626189692042 . | ✅ | ✅ |
{{TriggerTimeEnd}} | The end time of the time range that triggered the monitor in Unix format. For example, 1626190592042 . | ✅ | ✅ |
{{SourceURL}} | The URL to the configuration or status page of the monitor in Sumo Logic. | ✅ | ❌ |
{{AlertResponseUrl}} | When your monitor is triggered, it will generate a URL and provide it as the value of this variable where you can use it to open alert response. | ✅ | ❌ |
{{AlertName}} | Name of the alert that will be displayed on the alert page. | ✅ | ✅ |
{{Playbook}} | Allows you to access the playbook content configured as part of your initial monitor setup. | ✅ | ✅ |
Here are legacy variables available for alert notifications from metrics monitors and Scheduled Searches.
Click to view
Variables | Description | Metrics Monitors | Scheduled Searches |
---|---|---|---|
{{SearchName}} | Description of the saved search or monitor. In the delivered payload, this variable is replaced with the Name you assigned to the search or monitor when you created it. | ✅ | ✅ |
{{SearchDescription}} | Description of the saved search or monitor. In the delivered payload, this variable is replaced by the Description you assigned to the search or monitor when you created it. | ✅ | ✅ |
{{SearchQuery}} | The query used to run the saved search. In the delivered payload, this variable is replaced by your saved search query or metric query. | ✅ | ✅ |
{{SearchQueryUrl}} | The URL to the search or metrics query. In the delivered payload, this is a URL that you can click to run the saved logs or metric query. | ✅ | ✅ |
{{TimeRange}} | The time range that triggered the alert. | ✅ | ✅ |
{{FireTime}} | The start time of the log search or metric query that triggered the notification. | ✅ | ✅ |
{{AggregateResultsJson}} | JSON object containing search aggregation results. A maximum of 200 aggregate results can be sent via webhook. |