Skip to content

Notification content variables

The content of email and command notifications can include information from events in the following form:



Do not escape event command messages and event summaries. For example, write this command as: ${evt/summary} (rather than echo '$evt/summary').

Object names can be evt, evtSummary, or urls; or for clearing event context, clearEvt and clearEventSummary. For each object name, the following lists show valid attributes (for example, '${evt/DevicePriority}' ):

Attributes of evt and clearEvt

Value Description
DevicePriority value of the priority of the device
agent Typically the name of the daemon that generated the event. For example, an SNMP threshold event has zenperfsnmp as its agent.
clearid id of the event this clear event will clear
component component this event is related to
count how many times this event occurred
created when the event was created
dedupid dynamically generated fingerprint that allows the system to perform de-duplication on repeating events that share similar characteristics
device device this event is related to
eventClass class of this event
eventClassKey Free-form text field that is used as the first step in mapping an unknown event into an event class.
eventGroup Free-form text field that can be used to group similar types of events. This is primarily an extension point for customization. Currently not used in a standard system.
eventKey Free-form text field that allows another specificity key to be used to drive the de-duplication and auto-clearing correlation process.
eventState state of the event
evid unique id for the event
facility the syslog facility
firstTime First time that the event occurred.
ipAddress IP address
lastTime Most recent time that the event occurred.
manager value of manager
message a message communicated by the event
ntevid windows event id
ownerid owner id
priority syslog priority
prodState The production state of the device.
severity The integer that identifies the event severity level.
severityString The descriptive label that identifies the event severity level.
stateChange The last time that the event status changed.
status The status of the event.
summary A brief message summarizing the event.

Attributes of eventSummary and clearEventSummary


Some of the values in the following table are direct duplicates of evt attributes. For example, uuid -> evt.evid.

Value Description
uuid evt.evid
occurrence evt.count
status evt.eventState
first_seen_time evt.firstTime
status_change_time evt.stateChange
last_seen_time evt.lastTime
count evt.count
current_user_uuid UUID of the user who acknowledged this event
current_user_name name of the user who acknowledged this event
cleared_by_event_uuid UUID of the event that cleared this event (for events with status == CLEARED)
notes event notes
audit_log event audit log
update_time last time a modification was made to the event
created_time evt.lastTime
fingerprint evt.dedupid
event_class evt.eventClass
event_class_key evt.eventClassKey
event_class_mapping_uuid If this event was matched by one of the configured event class mappings, it contains the UUID of that mapping rule.
actor event actor
summary evt.summary
message evt.message
severity evt.severity
event_key evt.eventKey
event_group evt.eventGroup
agent evt.agent
syslog_priority evt.priority
syslog_facility evt.facility
nt_event_code evt.ntevid
monitor evt.monitor
tags event tags

Attributes of urls

Value Description
ackUrl URL for acknowledging the event
closeUrl URL for closing the event
reopenUrl URL for reopening the event
eventUrl URL for viewing the event
eventsUrl URL for viewing events for the relevant device, or all events

ZenPacks can define additional notification actions and can extend the context that is available to notifications to add objects or attributes.