With 7.12.1 i can see our group by field appearing in the detection event, in this case it is host.name. I have tried pushing through within the actions but it is still empty.
I dumped out the full event with context.alerts and pumped the output to a json editor and it does not look as though host.name is nested - "host.name":"somecomputer",
i am using host.name within actions in normal detections successfully.
Hi @probson, thanks for your question! You need a second loop to iterate over the threshold_result terms and pick out the matching field that you're interested in (or print them all). Since threshold signals are synthetic signals over a group of events, they don't necessarily look exactly like the source events. Fields that are included in the "group by" set can be found in the threshold_result.terms object.
Do you know if the fields will be directly accessible in the future? In my example, host.name which is one of the group fields is available in the context.alerts but its output is not ECS compliant
@probson You mean that it's not ECS-compliant because it's not located in the host.name top-level field? I believe we could copy the data into the original location for fields that have been grouped by. I don't know of any plans to do so, but I see no reason why we couldn't.
Thats it, as of 7.12.1 the group by fields look to be copied from the signal.threshold_result.terms "field":"host.name","value":"somecomputer" to the original field name of host.name but host.name within the action output is not ECS compliant
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.