Custom Event Notification Templates¶

When specifying event content, template syntax is supported. Users can use template variables to render dynamic text.

Template Variables¶

The syntax for rendering variables is {{ field_name }}, and the following event fields can be used for text rendering:

Template Variable	Type	Description
`date`, `timestamp`	Integer	Event generation time. Units are in seconds
`df_date_range`	Integer	Time range. Units are in seconds
`df_check_range_start`	Integer	Detection range start time. Unix timestamp, units are in seconds
`df_check_range_end`	Integer	Detection range end time. Unix timestamp, units are in seconds
`df_status`	String(Enum)	Event status, possible values: Emergency `critical` Important `error` Warning `warning` Normal `ok` Data interruption `nodata`
`df_event_id`	String	Unique event ID
`df_event_link`	String	Event details page link address
`df_dimension_tags`	String	Event dimensions. Used to identify the detection object Example: `{"host":"web-001"}`
`df_monitor_id`	String	Alert strategy ID If there is a question about the detection, you can send this ID to us
`df_monitor_name`	String	Alert strategy name
`df_monitor_checker_id`	String	Monitor ID If there is a question about the detection, you can send this ID to us
`df_monitor_checker_name`	String	Monitor name
`df_monitor_checker_value`	String	Detection value, i.e., the value detected by the monitor Note: The detection value will be forcibly converted to a String type to ensure compatibility
`df_monitor_checker_event_ref`	String	Monitor event association. Calculated based on the monitor ID and event `df_dimension_tags`
`df_fault_id`	String	Fault ID for this round, taking the value of the first fault event's `df_event_id`
`df_fault_status`	String(Enum)	Fault status for this round, redundant field of `df_status`, possible values: Normal `ok` Fault `fault`
`df_fault_start_time`	Integer	Fault occurrence time for this round. Unix timestamp, units are in seconds
`df_fault_duration`	Integer	Fault duration for this round. Units are in seconds
`df_user_id`	String	Operator user ID when manually recovering
`df_user_name`	String	Operator user name when manually recovering
`df_user_email`	String	Operator user email when manually recovering
`df_crontab_exec_mode`	String(Enum)	Monitor execution mode, possible values: Automatic trigger `crontab` Manual execution `manual`
`df_site_name`	String	Current Guance node name
`df_workspace_name`	String	Belonging workspace name
`df_workspace_uuid`	String	Belonging workspace ID If there is a question about the detection, you can send this ID to us
`df_label`	List	Monitor label list
`df_check_condition`	Dict	Satisfied detection conditions
`df_check_condition.operator`	String	Operator that satisfies the detection condition, such as: `>`、`>=` etc
`df_check_condition.operands`	List	Operand list that satisfies the detection condition. There is generally only 1 operand But operators like `between` have 2 operands
`df_check_condition.operands[#]`	Integer, Float	Operands that satisfy the detection condition
`Result`	Integer, Float	Detection value, same as `df_monitor_checker_value` which is the value detected at the time of generating this event, but the field type is the original type obtained during detection, not forcibly converted to String
{Each field in `df_dimension_tags`}	String	Each field in `df_dimension_tags` will be extracted
`df_event`	Dict	Complete event data

User Access Metrics Detection (RUM)¶

In User Access Metrics Detection (RUM), in addition to the above general template variables, the following additional template variables are supported:

Template Variable	Type	Description
`app_id`	String	Application ID
`app_name`	String	Application Name
`app_type`	String	Application Type

Template Variable Example¶

Assume the monitor by has configured region and host, and the event content template is as follows:

Event Name:

Monitor {{ df_monitor_checker_name }} found a fault in {{ df_dimension_tags }}

Event Content:

- Region: {{ region }}
- Host: {{ host }}
- Level: {{ df_status }}
- Detection Value: {{ Result }}
- Monitor: {{ df_monitor_checker_name }} (Alert Strategy: {{ df_monitor_name }})

Then, after an error event occurs, the rendered event output is as follows:

Output Event Name:

Monitor Monitor001 found {"region":"hangzhou","host":"web-001"} with a fault

Output Event Content:

- Region: hangzhou
- Host: web-001
- Level: error
- Detection Value: 90.12345
- Monitor: Monitor001 (Alert Strategy: Team001)

Fields Containing Special Characters Such As -, @¶

In some cases, the specified dimension field in the detection configuration may contain special characters such as -, @, e.g., host-name, @level.

According to the template syntax, these field names cannot be used as normal variable names, leading to inability to render properly.

At this point, you can use {{ df_event['host-name'] }}, {{ df_event['@level'] }} instead of {{ host-name }}, {{ @level }}.

Template Functions¶

In addition to directly displaying field values from events, template functions can be used to further process field values and optimize output.

The basic syntax is as follows:

{{ <template_variable> | <template_function> }}

Specific examples are as follows:

Event generation time: {{ date | to_datetime }}

If the template function requires parameters, then the syntax is as follows:

Event generation time: {{ date | to_datetime('America/Chicago') }}

Warning

If you need to perform calculations on template variables before using template functions, don't forget to add parentheses, such as:

CPU Usage: {{ (Result * 100) | to_round(2) }}

The list of available template functions is as follows:

Template Function	Parameter	Description
`to_datetime`	Timezone	Converts a timestamp to a date (default timezone is `Asia/Shanghai`) Example: `{{ date \| to_datetime }}` Output: `2022-01-01 01:23:45`
`to_status_human`		Converts `df_status` to a human-readable form Example: `{{ df_status \| to_status_human }}` Output: `Critical`
`to_fixed`	Decimal places	Outputs numbers with fixed decimal places (default keeps 0 decimal places) Example: `{{ Result \| to_fixed(3) }}` Output: `1.230`
`to_round`	Decimal places	Rounds numbers (default keeps 0 decimal places) Example: `{{ Result \| to_round(2) }}` Output: `1.24`
`to_percent`	Decimal places	Converts decimals to percentages (default keeps 0 decimal places) Example: `{{ Result \| to_percent(1) }}` Output: `12.3%`
`to_pretty_tags`		Beautifies tag output Example: `{{ df_dimension_tags \| to_pretty_tags }}` Output: `region:hanghzou, host:web-001`
`to_date_range_human`		Converts `df_fault_duration` into a readable format Example: `{{ df_fault_duration \| to_date_range_human }}` Output: `X days Y hours Z minutes W seconds`

Template Function Example¶

Assume the configured monitor by has configured region and host, and the alert configuration template is as follows:

Event Name:

Monitor {{ df_monitor_checker_name }} found a fault in {{ df_dimension_tags | to_pretty_tags }}

Event Content:

- Object: {{ df_dimension_tags | to_pretty_tags }}
- Time: {{ date | to_datetime }}
- Level: {{ df_status | to_status_human }}
- Detection Value: {{ (Result * 100) | to_round(2) }}

Then, after an error event occurs, the rendered event output is as follows:

Output Event Name:

Monitor MyMonitor found a fault in region:hangzhou, host:web-001

Output Event Content:

- Detection Object: region:hangzhou, host:web-001
- Detection Time: 2022-01-01 01:23:45
- Fault Level: Important
- Detection Value: 9012.35

Template Branches¶

Templates also support branch syntax to render different content based on conditions.

Template Branch Example¶

You can use the following syntax to implement branching functionality:

{% if df_status == 'critical' %}
Urgent issue, please handle immediately!
{% elif df_status == 'error' %}
Important issue, please handle
{% elif df_status == 'warning' %}
Possible issue, handle when free
{% elif df_status == 'nodata' %}
Data interruption, please handle immediately!
{% else %}
No issues!
{% endif %}

A more typical example is as follows:

{% if  df_status != 'ok' %}
> Level: {{ df_status }}
> Host: {{ host }}
> Content: Elasticsearch JVM heap memory usage is {{ Result }}%
> Recommendation: The current JVM garbage collection cannot keep up with the JVM garbage production, please check the business situation promptly

{% else %}
> Level: {df_status}
> Host: {host}
> Content: Elasticsearch JVM heap memory alert has been restored

{% endif %}

Embedded DQL Query Functions¶

In some cases, using only template variables does not meet the rendering requirements. At this point, embedded DQL query functions can be used to achieve additional data queries.

Embedded DQL query functions support executing any DQL statement within the detection time range of the current workspace. In most cases, the first piece of data obtained from the query can be used as a template variable in the template, and the usage method is as follows:

{% set dql_data = DQL("DQL statement to execute") %}

Some Field: {{ dql_data.some_field }}

Embedded DQL Query Example¶

The following embedded DQL statement queries data where the host field is "my_server" and assigns the first piece of data to the dql_data variable:

{% set dql_data = DQL("O::HOST:(host, host_ip, os, datakit_ver) { host = 'my_server' }") %}

Host OS: {{ dql_data.os }}

Subsequent templates can then use {{ dql_data.os }} to output specific fields from the query results.

Passing Parameters to Embedded DQL¶

Sometimes, the DQL statement to be executed requires passing parameters.

Assume the monitor by has configured region and host, and the event content template is as follows:

{% set dql_data = DQL("O::HOST:(host_ip, os) { region = ?, host = ? }", region, host) %}

Host Information:
IP: {{ dql_data.host_ip }}
OS: {{ dql_data.os }}

Since the event only contains region and host template variables used to mark different data, it does not include IP addresses, operating systems, or other more detailed information.

Then, using embedded DQL, you can obtain corresponding data by using region and host as DQL query parameters and use {{ dql_data.host_ip }} etc. to output associated information.

Details of Embedded DQL Query Functions¶

The call format for embedded DQL query functions is as follows:

DQL(dql, param_1, param_2, ...)

The first parameter is the DQL statement, which can include parameter placeholders ?
Subsequent parameters are the parameter values or variables for the DQL statement

The parameter placeholder ? is automatically escaped when replaced with a specific value.

Assuming the variable host has the value "my_server", the embedded DQL function and the final DQL statement executed are as follows:

DQL("O::HOST:(host, host_ip, os, datakit_ver) { host = ? }",  host)

O::HOST:(host, host_ip, os, datakit_ver) { host = 'my_server' }