I’ve built a search query that joins two streams/searches.

In the end I do some processing, and rename fields as needed, in my alert I added the renamed fields in my Jinja template, but when I receive the e-mail the fields come up blank.

My rule looks a bit like this:

e..] as s1 followed by y..] as s2 on s1.user=s2.user | process geopip(s2.source_address) | rename log_ts as tidspunkt_ts, s2.user as bruger, s2.machine as computernavn, s2.os_version as OS, s2.source_address as IP, country_name as land, city_name as 'by'

My e-mail notification looks like this:

Subject: 

{{alert_name}} - {% if rows|length is gt 1 %}{{rows|length}} users connected{% else %}{{rowso0].bruger}} connected {% endif %}

Message:

{% for row in rows %}
<ul>
<li><b>Timestamp: </b>{{row.tidspunkt_ts}}</li>
<li><b>Brugernavn: </b>{{row.bruger}}</li>
<li><b>Brugerens Computernavn: </b>{{row.computernavn}}</li>
<li><b>Brugerens OS: </b>{{row.OS}}</li>
<li><b>Brugerens IP: </b>{{row.IP}} ({{row.land}}, {{row.by}})</li>
</ul>
{% endfor %}

The search works fine, the jinja template does see 9 elements in the list, my template is repeated nine times, but the place where the property should appear contains no text.

Am I missing something obvious or does the rename command not effect the output to the Jinja template?