Support Center Home


Tokens Available in LogicModule Alert Messages

Overview

When defining alert messages or integrating alert data with external systems (e.g., ticketing or chat systems), tokens are available to customize the message or integration delivery to the current condition. These tokens are substituted at the time of generation so that the alert or integration delivery can include dynamic information.

The following article lists currently supported tokens and any available substitutions.

Note: Any tokens that reference dates and/or times are based on the time zone configured for the global LogicMonitor account (Settings > Account Information > Portal Settings). They are not based on the time zone configured in the alert recipient’s user account.

Token Types

  • Collector Down and Failover Tokens—Can be used in alert messages notifying you of a Collector down and failover to a backup Collector, if configured.
  • DataSource Tokens—Can be used in alert messages that originate from a datapoint defined by a DataSource.
  • Root Cause Analysis Tokens—Can be used in alert messages that undergo root cause analysis.
  • Website Tokens—Can be used in alert messages that originate from a monitored website.
  • JobMonitor Tokens—Can be used in alert messages that originate from a JobMonitor definition.
  • Cluster Alert Tokens—Can be used in alert messages that originate from a cluster alert (i.e., an alert that is triggered based on the status of a datapoint across multiple resources in a resource group).
  • EventSource Tokens—Can be used in alert messages that originate from an EventSource definition. The following types of EventSources have additional tokens available:
    • Windows Event Log Tokens
    • IPMI Event Tokens
    • SNMP Trap Tokens
    • Syslog Event Tokens
  • Alert Integration Tokens—Can be used when integrating alert data with external systems, such as ticketing or chat systems. For more information, see Alert Integrations Overview.

Available Tokens

The following table lists the available alert message tokens, organized by LogicModule or function:

TokenAvailable ForDescription
##<CUSTOMCOLLECTORPROPERTYNAME>##Collector Down and Failover TokensReturns the value of any custom properties that are assigned to the Collector itself (not its host device). Property names cannot contain spaces or dashes.
##<DEVICEPROPERTYNAME>##DataSource Tokens Substituted with the value of the associated device or instance property (either a custom or a system property). Surround the property name in double hash marks to use as a token. Property names cannot contain spaces or dashes.
##ADMIN##Alert Integration TokensThe user the alert was escalated to.
##AGENT_DESCRIPTION##Collector Down and Failover TokensThe name (description) of the Collector that has gone down.
##AGENT_DESCRIPTION##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The name (description) of the Collector that the device associated with the alert is assigned to
##AGENTID##Collector Down and FailoverThe ID of the Collector that has gone down.
##AGENTID##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The ID of the Collector that the device associated with the alert is assigned to
##ALERTDEPENDENCYROLE##DataSource Tokens

Root Cause Analysis Tokens
The role of the alert in the root cause incident.
##ALERTDETAILURL##Cluster Alert Tokens

Collector Down and Failover Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
The URL of the Alert Details page. From this page, the alert can be acknowledged, escalated, or put into SDT. By default, this URL is included at the top of all alert notifications sent via email or SMS.
##ALERTID##Cluster Alert Tokens

Collector Down and Failover Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
The LMDXXXX, LMSXXXX, etc. LogicMonitor alert ID. This ID is not unique per alert session. It is applied to all alerts triggered by a particular resource, website, LogicModule, instance, and datapoint combination. 
##ALERTSTATUS##DataSource TokensReports whether the alert is active, clear, ack, update, or test.
##ALERTTYPE##Alert Integration TokensThe type of alert: alert, eventAlert, batchJobAlert, hostClusterAlert, websiteAlert, agentDownAlert, agentFailoverAlert, agentFailBackAlert, alertThrottledAlert.
##AUTOFAILBACKENABLED##Collector Down and Failover TokensIndicates whether the Collector that has gone down is configured to automatically resume operations when it becomes available again.
##BACKUPAGENT_DESCRIPTION##Collector Down and Failover TokensThe name (description) of the failover Collector (if configured) for the Collector that has gone down.
##BACKUPAGENT_DESCRIPTION##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The name of the failover Collector (if configured) for the primary Collector associated with the resource.
##BACKUPAGENTID##Collector Down and Failover TokensThe ID of the failover Collector (if configured) for the Collector that has gone down.
##BACKUPAGENTID##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The ID of the failover Collector (if configured) for the primary Collector associated with the resource.
##BJDESCRIPTION##JobMonitor TokensThe JobMonitor description.
##CHECKPOINT##Website TokensThe checkpoint associated with the alert. This value will be ‘Overall’ if the alert was triggered based on checks at multiple locations.
##CMDLINE##JobMonitor TokensThe job command line.
##COLLECTORGROUP##Collector Down and Failover TokensThe name of the Collector group to which the alerting Collector belongs.
##DATAPOINT##Cluster Alert Tokens

DataSource Tokens
The name of the Datapoint that is in alert.
##DATASOURCE##Cluster Alert Tokens

DataSource Tokens
The DataSource display name (not to be confused with ##DSNAME##, which resolves to the DataSource name). In the case of a multi-instance DataSource, this token resolves to the fully qualified instance name (<DATASOURCE DISPLAY NAME>-<INSTANCE NAME>)
##DATASOURCE##EventSource TokensThe EventSource that triggered the alert.
##DATASOURCE##JobMonitor TokensThe JobMonitor name.
##DATE##EventSource (IPMI Event) Tokens The date of the event, as reported by the IPMI event log.
##DATE##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens
The date the alert was sent.
##DATE##JobMonitor TokensThe date of the job execution.
##DEPENDENCYMESSAGE##DataSource Tokens

Root Cause Analysis Tokens
Represents all root cause details that accompany alerts that have undergone root cause analysis.
##DEPENDENTALERTCOUNT##DataSource Tokens

Root Cause Analysis Tokens
The number of alerts dependent on the current alert.
##DEPENDENTRESOURCECOUNT##DataSource Tokens

Root Cause Analysis Tokens
The number of resources dependent on the current alert.
##DETAIL##Website TokensThe details associated with the alert. For an alert notification at an individual location this will include the URL for the step that failed and the HTTP response for that step. For an overall alert this will include the number of checks that failed.
##DEVICEURL##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The URL link associated with the device. If not available, “null” is returned.
##DIRECTCAUSE##DataSource Tokens

Root Cause Analysis Tokens
The resources that are determined to be the direct cause of the current alert.
##DPDESCRIPTION##DataSource TokensThe description of the datapoint in the alert, from the DataSource definition (e.g., Percentage Used on the volume). If not available, “null” is returned.
##DSDESCRIPTION##DataSource TokensThe description of the DataSource in the alert (e.g., Monitors space usage on logical volumes). If not available, “null” is returned.
##DSDESCRIPTION##JobMonitor TokensThe JobMonitor description
##DSIDESCRIPTION##DataSource TokensThe description of the instance in the alert, as defined by Active Discovery or as manually set on the Instances tab of the Resource page. If not available, “null” is returned.
##DSNAME##Cluster Alert Tokens

DataSource Tokens
The DataSource name.
##DTALERTDESCRIPTION##DataSource TokensWhen dynamic thresholds trigger an alert, this token returns the details of the dynamic threshold configuration that was exceeded (e.g., 100 percent of values of datapoint memory_usage_percentage for last 5 polls deviated from upper band or lower band by a factor of 2.00, triggering a warning alert). This token is automatically referenced as part of the value of the ##THRESHOLD## token.
##DURATION##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens
How long the alert has been in existence.
##END##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
Displays the cleared date and time for alert clear messages.
##ENTERPRISEOID##EventSource (SNMP Trap) TokensThe ID of the Collector that sent the trap (v1 traps only).
##EVENTCODE##EventSource (Windows Event Log) tokensWindows event ID.
##EVENTSOURCE##EventSource TokensThe EventSource that triggered the alert.
##EXITCODE##JobMonitor TokensExit code of the job.
##EXTERNALTICKETID##Alert Integration TokensThe ticket identifier, as created and returned by the external system.
##EXTERNALTICKETID##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
A list of integration ticket Ids and the associated integration name for each.
##FACILITY##EventSource (Syslog Event) TokensThe syslog facility of the event.
##FINISH##JobMonitor TokensThe time the job finished.
##GENERALCODE##EventSource (SNMP Trap) TokensThe SNMP general code in the trap (v1 traps only).
##GROUP##Cluster Alert Tokens

DataSource Tokens

EvenSource Tokens

JobMonitor Tokens
Shows groups this host or resource is a member of.
##HOST##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
Substituted with the resource that is in the alert.
##HOSTDESCRIPTION##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The text description of the resource in the alert. If not available, “null” is returned.
##HOSTNAME##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The display name of the resource in the alert.
##INSTANCE##DataSource TokensThe name of the DataSource instance (e.g., “C:\”).
##INSTANCEGROUP##DataSource Tokens

JobMonitor Tokens
The name of the group to which the alerting instance belongs.
##INTERNALID##Alert Integration TokensReturns a unique alert ID (DSXXXXXXXX). This ID updates as alert severities change, even if severity change occurs within the same alert session. This token may be helpful in identifying and suppressing duplicate alert payloads that were incorrectly resent to your third-party event management system (usually as the result of a transmission timeout or failure).
##INTERNALID##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
Returns a unique alert ID (DSXXXXXXXX). This ID updates as alert severities change, even if severity change occurs within the same alert session.
##LEVEL##Cluster Alert Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
The severity of the alert.
##LIMITEDMESSAGE##EventSource TokensThe first 10 words of the event message.
##LOGFILE##EventSource (Windows Event Log) TokensThe Windows event log file (System, Application, Security, etc.)
##MESSAGE##Alert Integration TokensThe rendered text of the alert message. This token will also pass all relevant acknowledged information (e.g., the user that acknowledged the alert, ack comments, etc.).
##MESSAGE##EventSource (IPMI Event) TokensThe IPMI event log message.
##MESSAGE##EventSource (Syslog Event) TokensThe syslog message.
##MESSAGE##EventSource (Windows Event Log) TokensThe event log message.
##ORIGINATINGCAUSE##DataSource Tokens

Root Cause Analysis Tokens
The resources that are determined to be the originating cause of the current alert.
##ROUTINGSTATE##DataSource Tokens

Root Cause Analysis Tokens
The status of the current alert’s notification routing.
##SOURCENAME##EventSource (Windows Event Log) TokensThe Windows source subsystem (e.g., Microsoft-Windows-DistributedCOM)
##SPECIFICCODE##EventSource (SNMP Trap) TokensThe specific code in the trap (v1 traps only).
##START##Cluster Alert Tokens

Collector Down and Failover Tokens

DataSource Tokens

EventSource Tokens

JobMonitor Tokens

Website Tokens
The time the alert condition started.
##STARTEPOCH##DataSource Tokens

EventSource Tokens

JobMonitor Tokens
The time (in unix epoch time) when this alert started. Useful for creating unique alert identifiers.
##STDERR##JobMonitor TokensStandard error returned by the job.
##STDOUT##JobMonitor TokensStandard out returned from the job.
##SYSUPTIME##EventSource (SNMP Trap) TokensThe uptime of the SNMP Collector sending the trap.
##THRESHOLD##DataSource TokensThe alert threshold that triggered the alert. The value of the ##THRESHOLD## token incorporates the value of the ##DTALERTDESCRIPTION## token to ensure threshold details are provided for both static and dynamic thresholds, when applicable.
##TIMESTAMP##EventSource (IPMI Event) TokensThe time of the event in the system event log in epoch format.
##TRAPOID##EventSource (SNMP Trap) TokensTrap identification for v2c traps.
##TYPE##EventSource (Windows Event Log) TokensThe event level (error, information, etc.) as reported by Windows.
##URL##Website TokensThe default root URL that the Web Check is testing (as specified in the Default Root URL field found in the Web Check definition.
##USER##EventSource (Windows Event Log) TokensThe user associated with the event, if any, as reported by Windows.
##USERDATA##JobMonitor TokensOther user data reported by the batch job.
##VALUE##Cluster Alert Tokens

DataSource Tokens
The value of the datapoint at the time the alert was generated.
##VALUE##EventSource TokensThe entire event message (the complete windows event log event, or complete IPMI event log, or SNMP trap contents)
##VALUE##Website TokensFor an overall alert this will reference the number of checks that failed. For an alert at an individual location, this will reference why the step failed (e.g., doesn’t match HTTP response, doesn’t include correct content, etc.)
##WEBSITE##Website TokensThe name of the website in the alert.
##WEBSITEDESCRIPTION##Website TokensThe description associated with the website.
##WEBSITEGROUP##Website TokensThe group the website is in.
##WEBSITEREQUEST##Website TokensThe full request sent at the time the alert was generated. This will function when alerting is configured for individual checkpoints, not for an overall status.
##WEBSITERESPONSE##Website TokensThe full response received at the time the alert was generated. This will function when alerting is configured for individual checkpoints, not for an overall status.
##WILDVALUE##DataSource TokensThe instance value.

In This Article