When creating an alert, you can choose either "Default format" or "Custom Format" for the alert output.
The default format will display the raw data in JSON format of the logs that triggered the alert, it is not customizable and gives you only up to 10 results. The "Custom format" option allows you to specify the fields you want to be displayed in the alert output. You can simply add fields to this list by clicking on the plus icon on the header and choosing the field.
In addition to adding fields to the table, you can add a REGEX filter on each of the columns to display only the data you want to see in the alert output. If the REGEX matches the relevant data you will see only the desired results, if the REGEX does not match the results you will see the full content of the field.
The custom output will display the data that is matched in the capture group(s) of the regular expression.
For example, if you have a hostname that is "logzio-support-host-1", then a regular expression of logzio-(*.) will give you "support-host-1".
You could also capture multiple parts of a string, for example, if I run (.*)-support(.*) on the previous example, I will get "logzio-host-1". This is because the first capture group matches the "logzio" and the second capture group matches the "-host-1" and the results are concatenated in the field.
Let's say I only want to capture the "1" from "logzio-support-host-1" then I can use .*(\d+), this will match any character up until the first number and will capture that number.