Include graylog search result in alert

Allow Graylog search results for device to be included in alert templates

Wanted to set up a Windows restart alert that includes the information of who re-started the machine and the reason why it was restarted. This information is stored in the system->information logs of the device under the Event ID 1074. Even better than displaying the message would be the ability to insert specific fields into the alert messages (LibreNMS does not display message fields currently). There would be no need to monitor the log stream, only execute the search for detail when the alert is generated.

Example: Server is rebooted and Librenms catches it with standard rule ( devices.uptime < 300 AND macros.device = 1) then the alert can search logs of relevant device and stream for “Explorer.EXE” and “restart” or “shutdown”. The resulting message can be inserted in the bottom of the alert e-mail

Here is a result for a recent reboot as seen in graylog displayed via Librenms:

The process Explorer.EXE has initiated the restart of computer SERVER-001 on behalf of user MOLYD\Ralfie_Admin for the following reason: Other (Planned) Reason Code: 0x85000000 Shutdown Type: restart Comment:Software Lockup