When defining the alert message for an event source, the following tokens are available:

##DATE##: Date the alert message was generated. This will be the time this particular alert was sent.
##DURATION##: how long this alert has been in existence so far.
##HOST## or ##HOSTNAME##: substituted with the host that is in alert
##LEVEL##:  the defined level of the event (warn, error, ciritical.)
##START##: the time this alert condition started
##VALUE##: the entire event message (the complete windows event log event, or complete IPMI event log, or snmp trap contents)
##GROUP##: shows groups this host is a member of

Specific Event Log tokens

For Windows Event Log events, the following specific tokens are available:
##EVENTCODE##: Windows event ID.
##TYPE##: The event level (error, information, etc) as reported by Windows.
##MESSAGE##: The event log message
##USER##: the user associated with the event, if any, as reported by Windows.
##LOGFILE##: the Windows event log file (System, Application, Security, etc)
##SOURCENAME##: The Windows source subsystem (e.g. Microsoft-Windows-DistributedCOM)

For IPMI Events, the additional available tokens are:
##MESSAGE##: The IPMI Event log message (e.g. "BMC  Power Supply 0x65 AC Lost")
##DATE##: The time of the event (As reported by the IPMI event log) in human format.
##TIMESTAMP##: The time of the event in the system event log in epoch format.

For SNMP Trap events, the additional tokens are:
##TRAPOID##: Trap identification for v2c traps.
##ENTERPRISEOID##: The ID of the collector that sent the trap (v1 traps only)
##SYSUPTIME##: The uptime of the snmp collector sending the trap
##GENERALCODE##: The snmp general code in trap. (v1 traps only)
##SPECIFICCODE##: The specific code in the trap (v1 traps only)

For Syslog events, the additional tokens are:
##FACILITY##: The syslog facility of the event
##MESSAGE##: The body of the syslog message