Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Opsgenie: extra properties filtering

Hello everyone in this community!


I need help to create Perfect view of created Opsgenie alert :)

Let me show details.

I have custom multi-select field Post-Incident Review Actions  with 2 options:

  • Investigation of financial losses
  • Security team analysis

ScreenShot 2022-06-05 at 22.19.35@2x.jpg

When I "ask" JSON payload

ScreenShot 2022-06-05 at 22.21.10@2x.jpg

of Opsgenie+Jira Management integration for this CustomField data with {{ customFields.customfield_10189.value }}

ScreenShot 2022-06-05 at 22.20.17@2x.jpg

I get this not beautiful, but quite informative output in created Opsgenie alert:

ScreenShot 2022-06-05 at 22.19.58@2x.jpg

Can I filter this output to create clear and informative Opsgenie alert? I need to receive in Opsgenie created alert data from Value JSON payload.  

For clarification: this output is enough for next steps (assign, route and so on) in Opsgenie.

I want to understand the filtering mechanism (if it can be used in this case).

Will be very glad for any kind of help.

1 answer

1 accepted

1 vote
Answer accepted
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 06, 2022

Hi @Roman Pankovski ,

Similar to what you are using in the field, Service for Review, you will most likely want to use some form or string processing or regex to clean up the data being extracted.

Maybe something like:

{{ customFields.customfield_10189.substringBetween("value=",",")}}


But are you trying to pull both of these values?



If yes, then the string processing method above would only work on the first match, and it appears there might be two values parsing in this custom field.


In that case, string processing should still work, but might need to be a bit more specific for each value. Maybe something like these two - but all depending how they parse in the payload as well:

{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 06, 2022

These also might work as well:


Like Roman Pankovski likes this

Hi, @Nick H! Thnx for answering!

I applied your suggestions in my workflow and can show what I receive.


{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}

 Output: null null



Output: Investigation of financial losses (this is the first value)


Output: Security team analysis (this is the second value)

Conclusion: 2-nd option is working!

But, in my opinion, this is specific solution acceptable for not more than 2 options - we take only BeforeAfter values of payload.


I move a little bit forward and modify your suggestions like this:



Output: Investigation of financial losses, Security team analysis (both values here!)

But there is another annoying thing - if Reporter choose only one option (example: Investigation of financial losses) here is what I receive in output:

Investigation of financial losses, null


1. is there any way to filter "null" from output?
2. is there any way to make multiline output?

Example of multiline output: 
Investigation of financial losses
Security team analysis

Hello @Nick H , 

I'm trying to extract information about findings' resources from the "Message" field and present it in a human-readable format. Specifically, I want to retrieve details from the "findings" array, specifically the "Resources" object within it. 

here is the json: 

"Type": "Notification",
"MessageId": "96d4c7c2-999e-57ab-aade",
"TopicArn": "arn:aws:sns:us-west-2:test",
"Message": {
"version": "0",
"id": "3ee38987-e0ce--91a1",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "abc",
"time": "2017-09-11T10:49:41Z",
"region": "us-west-2",
"resources": ["arn:aws:ec2:us-west-2:asdf:instance/i-abc"],
"detail": {
"actionName": "custom-action-name",
"actionDescription": "description of the action",
"findings": [
"AwsAccountId": "abc",
"Compliance": { "Status": "PASSED" },
"Confidence": 42,
"CreatedAt": "2017-03-22T13:22:13.933Z",
"Criticality": 99,
"Description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.",
"FirstObservedAt": "2017-03-22T13:22:13.933Z",
"GeneratorId": "acme-vuln-9ab348",
"Id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef",
"LastObservedAt": "2017-03-23T13:22:13.933Z",
"Malware": [
{ "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" }
"Network": {
"Direction": "IN",
"Protocol": "TCP",
"SourceIpV4": "",
"SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"SourcePort": "42",
"SourceDomain": "",
"SourceMac": "00:0d:83:b1:c0:8e",
"DestinationIpV4": "",
"DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"DestinationPort": "80",
"DestinationDomain": ""
"Note": {
"Text": "Don't forget to check under the mat.",
"UpdatedBy": "jsmith",
"UpdatedAt": "2018-08-31T00:15:09Z"
"Process": {
"Name": "syslogd",
"Path": "/usr/sbin/syslogd",
"Pid": 12345,
"ParentPid": 56789,
"LaunchedAt": "2018-09-27T22:37:31Z",
"TerminatedAt": "2018-09-27T23:37:31Z"
"ProductArn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default",
"ProductFields": {
"generico/secure-pro/Count": "6",
"Service_Name": "",
"aws/inspector/AssessmentTemplateName": "My daily CVE assessment",
"aws/inspector/AssessmentTargetName": "My prod env",
"aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures"
"RecordState": "ACTIVE",
"RelatedFindings": [
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" },
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder--x189dx7824" }
"Remediation": {
"Recommendation": {
"Text": "Run sudo yum update and cross your fingers and toes.",
"Url": ""
"Resources": [
"Type": "AwsEc2Instance",
"Id": "i-cafebabe",
"Partition": "aws",
"Region": "us-west-2",
"Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" },
"Details": {
"AwsEc2Instance": {
"Type": "i3.xlarge",
"ImageId": "ami-abcd1234",
"IpV4Addresses": ["", ""],
"IpV6Addresses": ["2001:db8:1234:1a2b::123"],
"KeyName": "my_keypair",
"IamInstanceProfileArn": "arn:aws:iam:::instance-profile/AdminRole",
"VpcId": "vpc-11112222",
"SubnetId": "subnet-56f5f633",
"LaunchedAt": "2018-05-08T16:46:19.000Z"
"SchemaVersion": "2018-10-08",
"Severity": { "Product": 8.3, "Normalized": 25 },
"SourceUrl": "string",
"ThreatIntelIndicators": [
"Type": "IPV4_ADDRESS",
"Value": "",
"Category": "BACKDOOR",
"LastObservedAt": "2018-09-27T23:37:31Z",
"Source": "Threat Intel Weekly",
"SourceUrl": ""
"Title": "title",
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
"UpdatedAt": "123578964332",
"UserDefinedFields": { "reviewedByCio": "true", "comeBackToLater": "Check this again on Monday" },
"VerificationState": "string",
"WorkflowState": "NEW"
"Timestamp": "2017-09-11T10:49:42.630Z",
"SignatureVersion": "1",
"Signature": "sign",
"SigningCertURL": "",
"UnsubscribeURL": ""


I'm seeking guidance on the correct approach to achieve my goal of making the alert more human-readable and extracting information from the "Message" field's "findings" section. Any assistance or insights you can provide would be greatly appreciated.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events