LogicModules

Tokens Available in LogicModule Alert Messages

Introduction to Alert Message Tokens

When defining customized alert messages or integrating alert data with external systems (e.g. ticketing or chat systems), tokens are available to customize the message or integration delivery to the current condition. These tokens are substituted at the time of generation so that the alert or integration delivery can include dynamic information.

The following sections list currently supported tokens, organized by LogicModule or function, and their substitutions.

Note: Any tokens that reference dates and/or times are based on the time zone configured for the global LogicMonitor account (Settings | Account Information | Portal Settings). They are not based on the time zone, if any, configured in the alert recipient's user account.

Collector Down and Failover

Alert messages notifying you of a Collector down and subsequently failover to a backup Collector (if a backup Collector is configured) support the following tokens.

  • ##AGENTID##: The ID of the Collector that has gone down.
  • ##AGENT_DESCRIPTION##: The name (description) of the Collector that has gone down.
  • ##ALERTID##: the LMDXXXX, LMSXXXX, etc. LogicMonitor alert ID. This ID is not unique per alert session; it is applied to all alerts triggered by a particular resource/website, LogicModule, instance, and datapoint combination.
  • ##BACKUPAGENTID##: The ID of the failover Collector, if one is configured, for the Collector that has gone down.
  • ##BACKUPAGENT_DESCRIPTION##: The name (description) of the failover Collector, if one is configured, for the Collector that has gone down.
  • ##AUTOFAILBACKENABLED##: Indicates whether the Collector that has gone down is configured to automatically resume operations when it becomes available again.
  • ##START##: The time in which this alert condition started (e.g. "2019-05-02 14:21:40 PDT")
  • ##<CUSTOMCOLLECTORPROPERTYNAME>##: Returns the value of any custom properties that are assigned to the Collector itself (not its host device).
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).

DataSources

If the alert is originating from a datapoint defined by a DataSource, the following tokens are available for use in the resulting alert notification message.

  • ##ALERTID##: the LMDXXXX, LMSXXXX, etc. LogicMonitor alert ID. This ID is not unique per alert session; it is applied to all alerts triggered by a particular resource/website, LogicModule, instance, and datapoint combination.
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).
  • ##ALERTSTATUS##: Reports whether the alert is active, clear, ack, update, or test.
  • ##DATAPOINT##: the datapoint in alert. e.g. "PercentUsed"
  • ##DataSource##: the name of the DataSource + instance that is in alert. e.g. "WinVolumeUsage-C:\"
  • ##DATE##: the date this particular alert was sent. e.g "2014-05-02 14:21:40 PDT"
  • ##DSDESCRIPTION##: the description of the DataSource in alert, if available. Else returns null. E.g. "Monitors space usage on logical volumes."
  • ##DSIDESCRIPTION##: the description of the instance in alert, as defined by the Active Discovery method or as manually set in Manage Instances and Alerts, if available. Else returns null.
  • ##DPDESCRIPTION##: the description of the datapoint in alert, from the DataSource definition, if available. Else returns null. E.g. "Percentage Used on the volume"
  • ##GROUP##: the comma-separated string list of groups this device is a member of.
  • ##HOST## or ##HOSTNAME##: the display name of the device that is in alert.
  • ##HOSTDESCRIPTION##:   the text description of the device, if available. Else returns null.
  • ##DEVICEURL##:   the URL link associated with the device, if available. Else returns null.
  • ##INSTANCE##:  the name of the DataSource instance (e.g. "C:\").
  • ##INSTANCEGROUP##: the name of the group to which the alerting DataSource instance belongs.
  • ##LEVEL##: the error level (warn, error or critical) that currently applies to the alert.
  • ##START##: the time this alert condition started. E.g. "2014-05-02 14:21:40 PDT"
  • ##STARTEPOCH##: the time (in Unix epoch time) when this alert started. Useful for creating unique alert identifiers. E.g "1399065700000"
  • ##DURATION##: the length of time that the alert has been in existence for, at the time of alert notification creation. E.g. "1h 18m"
  • ##THRESHOLD##: the alert threshold that was applied to the alert.
  • ##VALUE##: the value of the datapoint at the time this alert was generated.
  • ##Device Property##: Substituted with the value of any device property (either a custom or a system property), by surrounding the proper name  in double hash marks.
  • ##AGENTID##: The ID of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENTID##: The ID of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##AGENT_DESCRIPTION##: The name (description) of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENT_DESCRIPTION##: The name of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##EXTERNALTICKETID##: A list of integration ticket Ids and the associated integration name for each, if any ticket Ids exist for the alert
  • ##END##: For alert clear messages, this token displays the cleared date and time

Websites

If the alert is originating from a monitored website, the following tokens are available for use in the resulting alert notification message.

  • ##ALERTID##: the LMDXXXX, LMSXXXX, etc. LogicMonitor alert ID. This ID is not unique per alert session; it is applied to all alerts triggered by a particular resource/website, LogicModule, instance, and datapoint combination.
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).
  • ##LEVEL##: The severity of the alert
  • ##WEBSITE##: The name of the website in alert
  • ##VALUE##: For an overall alert this will reference the number of checks that failed. For an alert at an individual location this will reference why the step failed (doesn't match HTTP response, doesn't include correct content, etc.)
  • ##CHECKPOINT##: The checkpoint associated with the alert (this value will be 'Overall' if the alert was triggered based on the checks at multiple locations)
  • ##START##: The time the check(s) first failed
  • ##DETAIL##: The details associated with the alert. For an alert notification at an individual location this will include the URL for the step that failed and the HTTP response for that step. For an overall alert this will include the number of checks that failed.
  • ##WEBSITEDESCRIPTION##: The description associated with the website
  • ##WEBSITEGROUP##: The group the website is in
  • ##URL##: The URL of website check that failed
  • ##EXTERNALTICKETID##: A list of integration ticket IDs and the associated integration name for each, if any ticket IDs exist for the alert
  • ##END##: For alert clear messages, this token displays the cleared date and time
  • ##WEBSITEREQUEST##: The full request sent at the time the alert was generated. This will function when alerting is configured for individual checkpoints, not for an overall status.
  • ##WEBSITERESPONSE##: The full response received at the time the alert was generated. This will function when alerting is configured for individual checkpoints, not for an overall status.

JobMonitors

If the alert is originating from a JobMonitor definition, the following tokens are available for use in the resulting alert notification message.

  • ##HOST## or ##HOSTNAME##: The device that is in alert
  • ##HOSTDESCRIPTION##: The text description of the device
  • ##DEVICEURL##: The URL link associated with the device, if available. Else returns null.
  • ##DATASOURCE##: The JobMonitor name
  • ##BJDESCRIPTION## or ##DSDESCRIPTION##: The JobMonitor description
  • ##DATE##: The date of the job execution
  • ##INSTANCEGROUP## The name of the group to which the alerting instance belongs
  • ##CMDLINE##: The job command line
  • ##STDOUT##: The standard out returned from the job
  • ##STDERR##: Standard error returned by the job
  • ##USERDATA##: Other user data reported by the batch job
  • ##EXITCODE##: Exit code of the job
  • ##LEVEL##: The current alert level
  • ##START##: Time the alert started
  • ##FINISH##: Time the job finished
  • ##GROUP## Groups this host is a member of.
  • ##STARTEPOCH##: The time (in unix epoch time) when this alert started. Useful for creating unique alert identifiers.
  • ##AGENTID##: The ID of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENTID##: The ID of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##AGENT_DESCRIPTION##: The name (description) of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENT_DESCRIPTION##: The name of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##EXTERNALTICKETID##: A list of integration ticket Ids and the associated integration name for each, if any ticket Ids exist for the alert
  • ##END##: For alert clear messages, this token displays the cleared date and time
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).

Cluster Alerts

If the alert is originating from a cluster alert (an alert that is triggered based on the status of a datapoint across multiple resources in a resource group), the following tokens are available for use in the resulting alert notification message.

  • ##EXTERNALTICKETID##: A list of integration ticket Ids and the associated integration name for each, if any ticket Ids exist for the alert
  • ##DATASOURCE##: the name of the DataSource + instance that is in alert
  • ##DATAPOINT##: the name of the Datapoint that is in alert
  • ##DATE##: the date the alert was triggered
  • ##VALUE##: the value of the datapoint at the time this alert was generated.
  • ##LEVEL##: the alert severity level
  • ##START##: The time this alert condition started
  • ##END##: For alert clear messages, this token displays the cleared date and time
  • ##DURATION##: For how long this alert has been in existence
  • ##GROUP##: Shows groups this host is a member of.
  • ##ALERTID##: LogicMonitor alert ID, formatted as LMDXXXX, LMSXXXX, etc. This ID is not unique per alert session; it is applied to all alerts triggered by a particular resource/website, LogicModule, instance, and datapoint combination.
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).

EventSources

If the alert is originating from an EventSource definition, the following tokens are available for use in the resulting alert notification message.

  • ##ALERTID##: the LMDXXXX, LMSXXXX, etc. LogicMonitor alert ID. This ID is not unique per alert session; it is applied to all alerts triggered by a particular resource/website, LogicModule, instance, and datapoint combination.
  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session).
  • ##DATE##: Date the alert message was generated. This will be the time this particular alert was sent.
  • ##DURATION##: How long this alert has been in existence so far.
  • ##HOST## or ##HOSTNAME##: Substituted with the device that is in alert.
  • ##HOSTDESCRIPTION##:  The text description of the device.
  • ##DEVICEURL##:   the URL link associated with the device, if available. Else returns null.
  • ##EVENTSOURCE## or ##DataSource##: The eventsource that triggered the alert.
  • ##LEVEL##: The defined level of the event (warn, error, critical.)
  • ##START##: The time this alert condition started.
  • ##VALUE##: The entire event message (the complete windows event log event, or complete IPMI event log, or SNMP trap contents)
  • ##LIMITEDMESSAGE##: The first 10 words of the event message.
  • ##GROUP##: Shows groups this host is a member of.
  • ##STARTEPOCH##: The time (in unix epoch time) when this alert started. Useful for creating unique alert identifiers.
  • ##AGENTID##: The ID of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENTID##: The ID of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##AGENT_DESCRIPTION##: The name (description) of the collector that the device associated with the alert is assigned to
  • ##BACKUPAGENT_DESCRIPTION##: The name of the failover collector configured, if one is configured, for the primary collector associated with the device
  • ##EXTERNALTICKETID##: A list of integration ticket Ids and the associated integration name for each, if any ticket Ids exist for the alert
  • ##END##: For alert clear messages, this token displays the cleared date and time

Windows Event Log Tokens

For Windows Event Log events (a specific type of EventSource), the following specific tokens are available:

  • ##EVENTCODE##: Windows event ID.
  • ##TYPE##: The event level (error, information, etc) as reported by Windows.
  • ##MESSAGE##: The event log message
  • ##USER##: The user associated with the event, if any, as reported by Windows.
  • ##LOGFILE##: The Windows event log file (System, Application, Security, etc)
  • ##SOURCENAME##: The Windows source subsystem (e.g. Microsoft-Windows-DistributedCOM)

IPMI Event Tokens

For IPMI Events (a specific type of EventSource), the additional available tokens are:

  • ##MESSAGE##: The IPMI Event log message (e.g. "BMC  Power Supply 0x65 AC Lost")
  • ##DATE##: The time of the event (As reported by the IPMI event log) in human format.
  • ##TIMESTAMP##: The time of the event in the system event log in epoch format.

SNMP Trap Tokens

For SNMP Trap events (a specific type of EventSource), the additional tokens are:

  • ##TRAPOID##: Trap identification for v2c traps.
  • ##ENTERPRISEOID##: The ID of the collector that sent the trap (v1 traps only)
  • ##SYSUPTIME##: The uptime of the snmp collector sending the trap
  • ##GENERALCODE##: The snmp general code in trap. (v1 traps only)
  • ##SPECIFICCODE##: The specific code in the trap (v1 traps only)

Syslog Event Tokens

For Syslog events (a specific type of EventSource), the additional tokens are:

  • ##FACILITY##: The syslog facility of the event
  • ##MESSAGE##: The body of the syslog message

Alert Integrations

When integrating alert data with external systems such as ticketing or chat systems, you can use the various LogicModule-specific alert message tokens listed in this support article, as well as the tokens listed next. The following tokens are available for pre-built integrations, custom HTTP delivery integrations, and custom email alert delivery integrations.

  • ##INTERNALID##: Returns a unique alert ID that changes with every alert status update (i.e. it updates as alert severities change or alerts are acknowledged, even if these alert status changes are happening within the same alert session). This token may be helpful in identifying and suppressing duplicate alert payloads that were incorrectly resent to your third-party event management system (usually as the result of a transmission timeout or failure).
  • ##ADMIN##. The user the alert was escalated to.
  • ##MESSAGE##. The rendered text of the alert message. This token will also pass all relevant acked information (e.g. the user that acknowledged the alert, ack comments, etc.).
  • ##ALERTTYPE##. The type of alert (i.e. alert, eventAlert, batchJobAlert, hostClusterAlert, websiteAlert, agentDownAlert, agentFailoverAlert, agentFailBackAlert, alertThrottledAlert).
  • ##EXTERNALTICKETID##. The ticket identifier, as created and returned by the external system.