Is there a limitation on SWQL variables for Alert Email Subject?

I've created a variable that extracts the dst-ip from the syslog message received from a node. Here's the query:

${N=SWQL;M=SELECT SUBSTRING('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}',
CHARINDEX('dst-ip:', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}') + 7,
CHARINDEX(' ', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}' + ' ',
CHARINDEX('dst-ip:', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}') + 7) -
(CHARINDEX('dst-ip:', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}') + 7))
AS Message
FROM Orion.Nodes n}

When used in the email body, the query works perfectly and returns the expected IP address. However, using the same query in the email subject results in a blank output.

I'm wondering if this could be due to a restriction on using query-based variables in the email subject, or if there is a character limit that prevents the query from executing properly. I’ve tried looking for documentation to confirm this behavior but couldn’t find any relevant details.

Find more posts tagged with

swql query

npm - network performance monitor

alert variable

orion_core

Accepted answers

All comments

kpina

Hi there - your question is related to SolarWinds Observability Self-Hosted, so I've moved it to the correct forum. Happy THWACK-ing.

bobmarley

A quick Google of this returns:

Email systems do not allow infinitely long subject lines. Like most software there are limitations on how much information can be input. For most email the technical limitation on subject line length is 988 characters. That includes spaces between words.

kenyamson

shouldn't this be evaluated by SolarWinds alerting service first before sending the actual email so the whole query will be limited to whatever the value is?

In this case the value is just an IP address so it will be less than 988 characters.

dgsmith80

I currently have a very similar Query that I am using to parse Cisco & Arista Syslog messages as part of an Alert Email and EventLog. I've never tried pasting it into the Subject line before but I'll give it a test and see if it works.

kenyamson

Thanks @dgsmith80

kenyamson

Hi @dgsmith80 , were you able to test it out?

I tried different SWQL variable which is way shorter and added it on the subject. It works perfectly, so I guess there's a limitation on the subject field and SolarWinds does not process the variable before sending the email.