Action message variable

eddieyee · January 20, 2022, 8:40am

In my Alert using Elasticsearch query, I'm building a URL pointing to Elastic Discover link in the action message and I'm able to include a time filter as seen below:

time:(from:now-{{params.timeWindowSize}}{{params.timeWindowUnit}},to:now))

Is it possible to do something in action message using Elasticsearch query and Log threshold as seen below:

time:(from:'{{context.date}}-{{params.timeWindowSize}}{{params.timeWindowUnit}}',to:'{{context.date}}'))

Please advise.

Patrick_Mueller · January 20, 2022, 3:37pm

I got pretty close!

[discover link](https://localhost:5601/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:{{date}}-{{params.timeWindowSize}}{{params.timeWindowUnit}},to:{{date}}))&_a=(columns:!(),filters:!(),index:kibana-event-log,interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))

But Discover doesn't like the fact that I passed an (ISO date)-5m sort of expression as the to. I've got a question open to our Discover devs to find out if this is possible.

Patrick_Mueller · January 20, 2022, 4:05pm

Turns out it is possible! \o/

[discover link](https://localhost:5601/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'{{date}}||-{{params.timeWindowSize}}{{params.timeWindowUnit}}',to:'{{date}}'))&_a=(columns:!(),filters:!(),index:kibana-event-log,interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))

Note that I'm not sure how many rule types this will work with. All rule types have access to {{date}}, but probably many rule types have different names for the time window size/units, and it's possible the units won't match up exactly the same as the ones Discover is expecting. But you could hardcode the time window size/units, or both.

Tested this with an email connector and seemed to work fine. I'm a little afraid that the escaping done by other connectors may render the URL incorrectly, but ... not sure.

Patrick_Mueller · January 20, 2022, 4:09pm

Also note, if you've configured your Kibana base URL, you can use the {{kibanaBaseUrl}} instead of hard-coding your server address. {{rule.spaceId}} is also available, so you can append /s/{{rule.spaceId}} to the kibana base URL, and the URL would take you to the appropriate Kibana space.

eddieyee · February 9, 2022, 8:44am

I tried it out and it's working! Thanks!

system · March 9, 2022, 8:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to link to entries triggering a rule Kibana elastic-stack-alerting , detection-rules	7	596	April 28, 2023
Kibana alert Kibana elastic-stack-alerting	1	293	August 9, 2022
Alert to contain link to Kibana search results Elasticsearch elastic-stack-alerting	4	6351	July 6, 2017
Alerts and actions filters Kibana elastic-stack-alerting	3	298	September 29, 2020
Alerting Rule with link to Discover Elasticsearch elastic-stack-alerting	6	155	June 18, 2024

Action message variable

Related topics