Log Service allows you to customize notification content when you configure an alert template.

Template variables

When you configure an alert template, you can add template variables to the titles and bodies of notifications. When Log Service sends an alert notification, it replaces the template variables with actual values. For example, Log Service replaces the ${project} variable with the name of an actual project. For more information, see Template variables.

Each time an alert is triggered, Log Service automatically generates the alert context and stores it in the Results field. All the fields in the Results field can be referenced as template variables. For more information, see Fields in alert rule evaluation logs.

  • Fields of the array type are referenced in the ${results[{index}]} format. {index} indicates an array subscript, which starts from 0. For example, ${results[0]} indicates that the first element in the Results array is referenced.
  • Fields of the object type are referenced in the ${object.key} format. For example, ${results[0].StartTimeTs} indicates that the timestamp of 1542453580 is referenced.
Note RawResults and FireResult in Results are case-sensitive. Other fields in Results are not case-sensitive. The fields in RawResults and FireResult are query results.

Example of the Results field:

{
  "EndTime": "2006-01-02 15:04:05",
  "EndTimeTs": 1542507580,
  "FireResult": {
    "__time__": "1542453580",
    "field": "value1",
    "count": "100"
  },
  "FireResultAsKv": "[field:value1,count:100]",
  "Truncated": false,
  "LogStore": "test-logstore",
  "Query": "* | SELECT field, count(1) group by field",
  "QueryUrl": "http://xxxx",
  "RawResultCount": 2,
  "RawResults": [
    {
      "__time__": "1542453580",
      "field": "value1",
      "count": "100"
    },
    {
      "__time__": "1542453580",
      "field": "value2",
      "count": "20"
    }
  ],
  "RawResultsAsKv": "[field:value1,count:100],[field:value2,count:20]",
  "StartTime": "2006-01-02 15:04:05",
  "StartTimeTs": 1542453580
}
  • Fields of the array type are referenced in the ${results[{index}]} format. {index} indicates an array subscript, which starts from 0. For example, ${results[0]} indicates that the first element in the Results array is referenced.
  • Fields of the object type are referenced in the ${object.key} format. For example, ${results[0].StartTimeTs} indicates that the timestamp of 1542453580 is referenced.

Content formatting

  • DingTalk

    DingTalk messages support the Markdown syntax. The following elements are available:

    • Heading
      # Level 1 heading
      ## Level 2 heading
      ### Level 3 heading
      #### Level 4 heading
      ##### Level 5 heading
      ###### Level 6 heading
    • Reference
      > A man who stands for nothing will fall for anything.
    • Bold and italic text
      **bold**
      *italic*
    • Link
      [this is a link](http://name.com)
    • Image
      ![](http://name.com/pic.jpg)
    • Unordered list
      - item1
      - item2
    • Ordered list
      1. item1
      2. item2
  • Enterprise WeChat

    Enterprise WeChat messages support the Markdown syntax. The following elements are available:

    Notice \n\n in Enterprise WeChat messages are rendered as \n. If you want to add a blank line between the lines in messages, you must use \n\n\n.
    • Heading
      # Level 1 heading
      ## Level 2 heading
      ### Level 3 heading
      #### Level 4 heading
      ##### Level 5 heading
      ###### Level 6 heading
    • Bold text
      **bold**
    • Link
      [This is a link](http://work.weixin.qq.com/api/doc)
    • Inline code segment
      `code`
    • Reference
      > Referenced text
    • Font color

      Only three preconfigured colors are supported.

      <font color="info">Green</font>
      <font color="comment">Gray</font>
      <font color="warning">Orange red</font>
  • Lark

    Lark messages support the Markdown syntax. The following elements are available:

    • Bold text
      **Bold**
    • Italic text
      *Italic*
    • Strikethrough text
      ~~Strikethrough~~
    • Hyperlink
      <a>https://open.feishu.cn</a>
    • Text link
      [Development documentation](https://open.feishu.cn)
    • Image
      ![hover_text](image_key)
    • Separator line
      \n---\n
  • Slack

    Incoming webhooks in Slack support only a part of the Markdown syntax. For more information, see Slack Markdown Reference.

  • Webhook

    Webhooks support sending one message at a time or combining multiple messages to send at the same time.

    • Send one message at a time:
      {
        "Project": "${project}",
        "Alert name": "${alert_name}"
      }
    • Combine multiple messages to send at the same time:
      [
        {
          "Project": "project-name1",
          "Alert name": "alert-name1"
        },
        {
          "Project": "project-name2",
          "Alert name": "alert-name2"
        }
      ]
  • Email
    Emails support HTML tags. For more information, see HTML. Examples:
    • Use <br> as a line feed.
    • Use <a href="${query_url}">Details</a> to add a link. You can click the link to view alert details.
    • Use <strong>${severity}</strong> to display the severity of an alert in bold text.