Custom Event Notification Template¶
Through template syntax, you can customize event notification content:
- Dynamic rendering: Use {{ field name }} to directly insert alert fields (e.g., {{ host }}, {{ df_status }})
- Data processing: Format data through {{ variable | function() }} (e.g., timestamp to date, number to percentage)
- Conditional branching: Use {% if ... %} to achieve differentiated notifications for different statuses
- Real-time query: Embed DQL ("query statement") to obtain related data (e.g., host IP, application information)
Basic Template Variables¶
The basic syntax for template variables is {{ field name }}
, which can be used to render dynamic information related to events. The following are common template variables and their uses:
Template Variable | Type | Description |
---|---|---|
date , timestamp |
Integer | Event generation time. Unit is seconds |
df_date_range |
Integer | Time range. Unit is seconds |
df_check_range_start |
Integer | Detection range start time. Unix timestamp, unit is seconds |
df_check_range_end |
Integer | Detection range end time. Unix timestamp, unit is seconds |
df_status |
String(Enum) | Event status, possible values: critical error warning ok nodata |
df_event_id |
String | Event unique ID |
df_event_link |
String | Event details page link address |
df_dimension_tags |
String | Event dimensions. Used to identify detection objects E.g.: {"host":"web-001"} |
df_monitor_id |
String | Alert strategy ID |
df_monitor_name |
String | Alert strategy name |
df_monitor_checker_id |
String | Monitor ID |
df_monitor_checker_name |
String | Monitor name |
df_monitor_checker_value |
String | Detection value, i.e., the value detected by the monitor |
df_monitor_checker_event_ref |
String | Monitor event association. Calculated based on monitor ID, event df_dimension_tags |
df_fault_id |
String | Current fault ID, the value is the df_event_id of the first fault event |
df_fault_status |
String(Enum) | Current fault status, a redundant field of df_status . Possible values: ok fault |
df_fault_start_time |
Integer | Current fault occurrence time. Unix timestamp, unit is seconds |
df_fault_duration |
Integer | Current fault duration. Unit is seconds |
df_user_id |
String | Operator user ID during manual recovery |
df_user_name |
String | Operator user name during manual recovery |
df_user_email |
String | Operator user email during manual recovery |
df_crontab_exec_mode |
String(Enum) | Monitor running mode, possible values: crontab manual |
df_site_name |
String | CurrentGuance node name |
df_workspace_name |
String | Belonging workspace name |
df_workspace_uuid |
String | Belonging workspace ID |
df_label |
List | Monitor label list |
df_check_condition |
Dict | Satisfied detection conditions |
df_check_detail |
Dict | Applicable to mutation detection, representing the original value compared with the mutation. Contains three fields: change_value )comparison_value )detection_value ) |
df_check_condition.operator |
String | Satisfied detection condition operator, e.g.: > , >= , etc. |
df_check_condition.operands |
List | Satisfied detection condition operand list. Generally, there is only 1 operand, but operators like between have 2 operands |
df_check_condition.operands[#] |
Integer, Float | Satisfied detection condition operand |
Result |
Integer, Float | Detected value, same as df_monitor_checker_value , but the field type is the original type during detection, not forcibly converted to String |
df_dimension_tags fields |
String | Each field in df_dimension_tags will be extracted |
df_event |
Dict | Complete event data |
df_studio_env_name |
Current environment name | |
df_studio_console_base_url |
Current environment console address | |
df_studio_monitor_base_link |
Current environment monitor address |
Template Variable Example¶
Assume the monitor by
is configured with region
and host
, and the event content template is as follows:
Event name:
Event content:
- Region: {{ region }}
- Host: {{ host }}
- Level: {{ df_status }}
- Detection value: {{ Result }}
- Monitor: {{ df_monitor_checker_name }} (Alert strategy: {{ df_monitor_name }})
Then, after generating an error
event, the rendered event output is as follows:
Output event name:
Output event content:
- Region: hangzhou
- Host: web-001
- Level: error
- Detection value: 90.12345
- Monitor: Monitor001 (Alert strategy: Team001)
Special Scenario Variables¶
User Access Metric Detection¶
In User Access Metric Detection, in addition to the above general template variables, the following template variables are additionally supported:
Template Variable | Type | Description |
---|---|---|
app_id |
String | Application ID |
app_name |
String | Application name |
app_type |
String | Application type |
Special Character Field Handling¶
If the dimension
field in the detection configuration contains special characters (e.g., -
, @
), such as host-name
, @level
, it cannot be directly used as a normal variable name, which will cause template rendering to fail.
The solution is to use the following format for reference:
- Use
{{ df_event['host-name'] }}
instead of{{ host-name }}
- Use
{{ df_event['@level'] }}
instead of{{ @level }}
Template Functions¶
In addition to directly displaying field values in events, you can also use template functions to further process field values to optimize output.
The basic syntax is as follows:
Specific examples are as follows:
If the template function requires passing parameters, the syntax is as follows:
Warning
If you need to perform operations on template variables before using template functions, please add parentheses, e.g.:
The available template function list is as follows:
Template Function | Parameters | Description |
---|---|---|
to_datetime |
Timezone | Convert timestamp to date (default timezone is Asia/Shanghai )Example: {{ date | to_datetime }} Output: 2022-01-01 01:23:45 |
to_date_range_human |
Convert df_fault_duration to a readable formExample: {{ df_fault_duration | to_date_range_human }} Output: X days Y hours Z minutes W seconds |
|
to_status_human |
Convert df_status to a readable formExample: {{ df_status | to_status_human }} Output: Critical |
|
to_fixed |
Decimal places | Output number with fixed decimal places (default is 0 decimal places) Example: {{ Result | to_fixed(3) }} Output: 1.230 |
to_round |
Decimal places | Round number (default is 0 decimal places) Example: {{ Result | to_round(2) }} Output: 1.24 |
to_percent |
Decimal places | Output decimal as percentage (default is 0 decimal places) Example: {{ Result | to_percent(1) }} Output: 12.3% |
to_pretty_tags |
Beautify output tags Example: {{ df_dimension_tags | to_pretty_tags }} Output: region:hanghzou, host:web-001 |
|
limit_lines |
Limit lines | |
limit_chars / limit_text |
Limit characters | |
type_name |
Output data type name Example: {{ data | type_name }} Output: dict |
|
to_int |
Convert to integer Example: {{ data | to_int }}<br>Output: 1` |
|
to_float |
Convert to float Example: {{ data | to_float }} Output: 1.234 |
|
to_str |
Convert to string Example: {{ data | to_str }} Output: 1.234 |
|
to_json_dumps |
Convert to JSON serialized string Example: {{ data | to_json_dumps }} Output: {"key1":"value1","key2":"value2"} |
|
length |
Get data length Example: {{ data | length }} Output: 10 |
Template Function Example¶
For more details, visit Get Template Function Examples.
Assume the configured monitor by
is configured with region
and host
, and the alert configuration template is as follows:
Event name:
Event content:
- Object: {{ df_dimension_tags | to_pretty_tags }}
- Time: {{ date | to_datetime }}
- Level: {{ df_status | to_status_human }}
- Detection value: {{ (Result * 100) | to_round(2) }}
Then, after generating an error
event, the rendered event output is as follows:
Output event name:
Output event content:
- Detection object: region:hangzhou, host:web-001
- Detection time: 2022-01-01 01:23:45
- Fault level: Important
- Detection value: 9012.35
Template Branching¶
Templates also support using branching syntax to render different content based on conditions.
Template Branching Example¶
You can use the following syntax to implement branching:
{% if df_status == 'critical' %}
Critical issue, please handle immediately!
{% elif df_status == 'error' %}
Important issue, please handle
{% elif df_status == 'warning' %}
Possible issue, handle when available
{% elif df_status == 'nodata' %}
Data interruption, please handle immediately!
{% else %}
No problem!
{% endif %}
A more typical example is as follows:
{% if df_status != 'ok' %}
> Level: {{ df_status }}
> Host: {{ host }}
> Content: Elasticsearch JVM heap memory usage is {{ Result }}%
> Suggestion: Current JVM garbage collection cannot keep up with JVM garbage production, please check the business situation in time
{% else %}
> Level: {df_status}
> Host: {host}
> Content: Elasticsearch JVM heap memory alert has been restored
{% endif %}
Embedded DQL Query Function¶
In some cases, using only template variables cannot meet rendering requirements. At this time, you can use the embedded DQL query function to implement additional data queries.
The embedded DQL query function supports executing any DQL statement within the current detection time range in the current workspace. Generally, the first piece of data obtained from the query can be used as a template variable in the template, as follows:
Embedded DQL Query Example¶
The following embedded DQL statement queries data with the host
field as "my_server"
and assigns the first piece of data to the dql_data
variable:
{% set dql_data = DQL("O::HOST:(host, host_ip, os, datakit_ver) { host = 'my_server' }") %}
Host OS: {{ dql_data.os }}
After this, you can use {{ dql_data.os }}
in the template to output specific fields in the query result.
Passing Parameters to Embedded DQL¶
Sometimes, executing a DQL statement requires passing parameters. These parameters can be directly embedded in the DQL statement, and you can choose whether to add by
filtering. However, the writing method is slightly different. Usually, when referencing variables, {df_status}
is used. But in DQL statements, you should directly use the variable name without adding {{ }}
, so the final writing method is status
.
Assume the monitor by
is configured with region
and host
, and the event content template is as follows:
{% set dql_data = DQL("O::HOST:(host_ip, os) { region = ?, host = ? }", region, host) %}
Host information:
IP: {{ dql_data.host_ip }}
OS: {{ dql_data.os }}
Since the event only contains region
and host
template variables to mark different data, it does not contain more information such as IP address, operating system, etc.
Then, using embedded DQL, you can obtain corresponding data through region
and host
as DQL query parameters, and use {{ dql_data.host_ip }}
to output associated information.
Embedded DQL Query Function Details¶
The embedded DQL query function call format is as follows:
- The first parameter is the DQL statement, which can contain parameter placeholders
?
- Subsequent parameters are parameter values or variables for the DQL statement
When the parameter placeholder ?
is replaced with a specific value, the system will automatically escape it.
Assume the variable host
value is "my_server"
, then the embedded DQL function and the final executed DQL statement are as follows:
Warning
- Embedded DQL queries should be placed at the beginning of the template
- The query result name (here is
dql_data
) follows the naming requirements of general programming languages, which can be any English letter starting and only contain English letters, numbers, and underscores, not recommended to use emoji. - The query result name should not be the same as any existing template variable or template function, otherwise unpredictable problems may occur
- If you use functions on fields in DQL, it is recommended to use
AS
to alias fields for easy subsequent use (e.g.:O::HOST:( last(host) AS last_host )
). - If the field name in DQL contains special characters, like template variables, you should use
{{ dql_data['host-name'] }}
,{{ dql_data['@level'] }}
for rendering.