Skip to main content
Sumo Logic

Alert Variables

Variables are used as parameters in the JSON payload object of your alert notifications. These variables are used to dynamically populate specific values from the alert configuration in the notification payload. It includes things like the TriggerType that gives the current monitor status in the notification. When a notification is sent variables are replaced with values from the alert. For example, if you specified {{Name}} in your JSON payload, it would be replaced with the actual name of the alert in the delivered payload.

Common variables for alerts

You can use variables to customize your notification payload from Monitors and Scheduled Searches. The table below shows a list of variables along with information on which area of the product these are supported. We have also provided a brief description of each of the variables.

Variable Description Monitors Scheduled Searches
 {{Name}} The name of the alert. In the delivered payload, this variable is replaced with the Name you assigned to the alert when you created it. Check.png Check.png
 {{Description}} The description of the alert. Check.png Check.png
{{MonitorType}} The type of alert, either Logs or Metrics. Check.png Check.png
 {{Query}} The query used to run the alert. Check.png Check.png
{{QueryURL}} The URL to the logs or metrics query within Sumo Logic. Check.png Check.png
{{ResultsJson}} JSON object containing the query results that triggered the alert.

A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.
Check.png Check.png

Not available with Email notifications
{{ResultsJson.fieldName}}

 
The value of the specified field name. For example, this payload specification:

{{ResultsJson.client_ip}} had {{ResultsJson.errors}} errors

Results in a subject line like this:

70.69.152.165 had 391 errors

A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.

A field name must match (case-insensitive) the field from your search and must be alphanumeric characters, underscores, and spaces. If you have a field name that has an unsupported character use the as operator to rename it.

You can return a specific result by providing an array index value in bracket notation. Such as, {{ResultsJson.fieldName}}[0] to return the first result.

Reserved Fields

The following are reserved field names. They are generated by Sumo Logic during collection or search operations.
  • _raw
  • Message
  • _messagetime
  • Time
  • _sourcehost
  • Host
  • _sourcecategory
  • Category
  • _sourcename
  • Name
  • _collector
  • Collector
  • _timeslice
  • _signature
Check.png

 
Check.png

Email notifications only return the first result.
{{NumQueryResults}} The number of results the query returned. Results can be raw messages, time-series, or aggregates.

An aggregate query returns the number of aggregate results; displayed in the Aggregates tab of the Search page.

A non-aggregate query returns the number of raw results; displayed in the Messages tab of the Search page.
Check.png Check.png
{{Id}} The unique identifier of the monitor or search that triggered the alert. For example, 00000000000468D5. Check.png Check.png
{{DetectionMethod}} This is the type of Trigger Method used to detect alerts. At this time we only support Static threshold-based alerts.  Check.png Check.png
{{TriggerType}} The status of the alert, either Normal, Critical, Warning, or Missing Data. Check.png x-sized.png
{{TriggerTimeRange}} The time range of the query that triggered the alert. For example, 07/13/2021 03:21:32 PM UTC to 07/13/2021 03:36:32 PM UTC. Check.png Check.png
{{TriggerTime}} The time the monitor was triggered. For example, 07/13/2021 03:38:30 PM UTC. Check.png Check.png
{{TriggerCondition}} The condition that triggered the alert. For example, Greater than or equal to 1.0 in the last 15 minutes. Check.png Check.png
{{TriggerValue}} The value that triggered the alert. Check.png Check.png
{{TriggerTimeStart}} The start time of the time range that triggered the monitor in Unix format. For example, 1626189692042. Check.png Check.png
{{TriggerTimeEnd}} The end time of the time range that triggered the monitor in Unix format. For example, 1626190592042. Check.png Check.png
{{SourceURL}} The URL to the configuration or status page of the monitor in Sumo Logic. Check.png x-sized.png
Examples
Slack payload

{
     "attachments": [
         {
             "pretext": "Sumo Logic Alert for: *{{Name}}* by user USERNAME",
             "fields": [
                 {
                     "title": "Description",
                     "value": "{{Description}} {{TriggerTimeStart}}"
                 },
                 {
                     "title": "Query",
                     "value": "<{{QueryURL}}|{{Query}}>"
                 },
                 {
                     "title": "Time Range",
                     "value": "{{TriggerTimeRange}}"
                 }
             ],
             "mrkdwn_in": ["text", "pretext"],
             "color": "#29A1E6"
         }
     ]
 }

PagerDuty payload

{
    "service_key": "xxxxx",
    "event_type": "trigger",
    "description": "Monitor Alert on {{Name}}",
    "client": "Sumo Logic",
    "details": {
        "name": "{{Name}}",
        "query": "<{{QueryURL}} | {{Query}}>",
        "time": "{{TriggerTimeRange}} -- {{TriggerTime}} --"
    }
}

Email message

Monitor Alert: {{TriggerTimeRange}} on {{Name}}

Legacy Variables

This section provides the old variables available for alert notifications from Metrics Monitors and Scheduled Searches. The following table shows where the old variables are supported.

Variables Description  Metrics Monitors Scheduled Searches
 {{SearchName}} Description of the saved search or Monitor. In the delivered payload, this variable is replaced with the Name you assigned to the search or Monitor when you created it. Check.png Check.png
 {{SearchDescription}} Description of the saved search or Monitor. In the delivered payload, this variable is replaced by the Description you assigned to the search or Monitor when you created it. Check.png Check.png
 {{SearchQuery}} The query used to run the saved search. In the delivered payload, this variable is replaced by your saved search query or metric query.
 
Check.png Check.png
 {{SearchQueryUrl}} The URL to the search or metrics query. In the delivered payload, this is a URL that you can click to run the saved logs or metric query. Check.png Check.png
 {{TimeRange}} The time range that triggered the alert. Check.png Check.png
 {{FireTime}} The start time of the log search or metric query that triggered the notification. Check.png Check.png
 {{AggregateResultsJson}} JSON object containing search aggregation results.

A maximum of 200 aggregate results can be sent via webhook.
x-sized.png Check.png

Not available with Email notifications
 {{RawResultsJson}} JSON object containing raw messages.

A maximum of 10 raw messages can be sent via webhook.
x-sized.png Check.png

Not available with Email notifications
 {{NumRawResults}} Number of results returned by the search. x-sized.png Check.png
 {{Results.fieldname}} The value returned from the search result for the specified field. For example, this payload specification:

{{Results.client_ip}} had {{Results.errors}} errors

Results in a subject line like this:

70.69.152.165 had 391 errors

A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.

A field name must match (case-insensitive) the field from your search and must be alphanumeric characters, underscores, and spaces. If you have a field name that has an unsupported character use the as operator to rename it.
x-sized.png Check.png

Email notifications only return the first result.
{{AlertThreshold}} The condition that triggered the alert (for example, above 90 at least once in the last 5 minutes) Check.png x-sized.png
{{AlertSource}} The metric and sourceHost that triggered the alert, including associated tags for that metric. Check.png x-sized.png
{{AlertSource.fieldname}} The value returned from the AlertSource object for the specified field name. Check.png x-sized.png
{{AlertID}} The ID of the triggered alert. Check.png x-sized.png
{{AlertStatus}} Current status of the time series that triggered (for example, Critical or Warning). Check.png x-sized.png
{{AlertCondition}} The condition that triggered the alert. x-sized.png x-sized.png