AlertSource Variable Information Overload in Slack Connection

Follow
Avatar
Cameron Ditchfield
  • Edited

Hello,

I currently have a Slack connection set up for use by metric alerts with a payload that contains an {{AlertStatus}} field.
From my understanding of https://help.sumologic.com/Manage/Connections-and-Integrations/Webhook-Connections/Set-Up-Webhook-Connections {{AlertSource}} is only supposed to provide the metric and the _SourceHost fields. However, when an alert uses the connection the resulting message in Slack looks something like (censored with *):

 

...
Source
CPU_LoadAvg_15min from InstanceId=********* InstanceType=********* Name=********* Region=********* Renaming=********* _collector=********* _collectorId=********* _contentType=HostMetrics _source=Host`%`%Metrics _sourceCategory=hostmetrics _sourceHost=********* _sourceId=********* _sourceName=Host`%`%Metrics scheduler%``%ebs-snapshot=default
Description
...


Is there any way I can cut down on the number of fields that are displayed (preferably to only Name or _sourceHost)?
The collector providing the metrics of interest is an installed Sumo Logic collector running on an AWS EC2 instance in an account for which I have installed the Sumo Logic AWS Metadata collector as well as a Cloudwatch collector.


An example of a query I'm running is:
_sourceCategory=hostmetrics metric=Disk_Available DevName=tank Name=**********

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Brian Bozzello
    • Edited

    Hi Cameron,

    By default, {{AlertSource}} will include all tags associated with the alerting metric (we'll update the docs to correct that!). In the meantime, if you'd like to cut down on the fields, you can modify your query to aggregate by the tags of interest. For example:

    _sourceCategory=hostmetrics metric=Disk_Available DevName=tank Name=********** | sum by _sourceHost

    In that case, the Disk_Available will be summed up by each _sourceHost, and the resulting alert would only contain the specific host that triggered.

    Additionally, we have an outstanding feature request to allow you to choose the fields to show in a webhook payload from Metrics Monitors - feel free to vote and add comments here: https://ideas.sumologic.com/ideas/SL-I-2602

    Let me know if that helps!

    Thanks,

    Brian

    0
    Comment actions Permalink
  • Avatar
    Cameron Ditchfield

    Hello Brian,

    That's a cleaver trick!
    Due to some peculiarities of our setup summing by _sourceHost didn't work for me, but tacking on  "| sum by _collector, DevName, DirName" did the trick, and the Source message in alerts is looking much cleaner now.
    When I first saw your comment I didn't think this would work for me ("I don't want to modify the values in my time-series, I just want to get rid of columns in the legend!"), but thinking of sum as a merge operation (which any operation to exclude legend columns would have to do) made me realize what was going on.

    Cheers,
    Cameron

    0
    Comment actions Permalink
  • Avatar
    Brian Bozzello
    • Edited

    Great, glad that worked! Let me know if I can help answer any other questions.

    Brian

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post