In my Alert using Elasticsearch query, I'm building a URL pointing to Elastic Discover link in the action message and I'm able to include a time filter as seen below:
time:(from:now-{{params.timeWindowSize}}{{params.timeWindowUnit}},to:now))
Is it possible to do something in action message using Elasticsearch query and Log threshold as seen below:
time:(from:'{{context.date}}-{{params.timeWindowSize}}{{params.timeWindowUnit}}',to:'{{context.date}}'))
Please advise.
I got pretty close!
[discover link](https://localhost:5601/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:{{date}}-{{params.timeWindowSize}}{{params.timeWindowUnit}},to:{{date}}))&_a=(columns:!(),filters:!(),index:kibana-event-log,interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))
But Discover doesn't like the fact that I passed an (ISO date)-5m sort of expression as the to. I've got a question open to our Discover devs to find out if this is possible.
Turns out it is possible! \o/
[discover link](https://localhost:5601/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'{{date}}||-{{params.timeWindowSize}}{{params.timeWindowUnit}}',to:'{{date}}'))&_a=(columns:!(),filters:!(),index:kibana-event-log,interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))
Note that I'm not sure how many rule types this will work with. All rule types have access to {{date}}, but probably many rule types have different names for the time window size/units, and it's possible the units won't match up exactly the same as the ones Discover is expecting. But you could hardcode the time window size/units, or both.
Tested this with an email connector and seemed to work fine. I'm a little afraid that the escaping done by other connectors may render the URL incorrectly, but ... not sure.
Also note, if you've configured your Kibana base URL, you can use the {{kibanaBaseUrl}} instead of hard-coding your server address. {{rule.spaceId}} is also available, so you can append /s/{{rule.spaceId}} to the kibana base URL, and the URL would take you to the appropriate Kibana space.
I tried it out and it's working! Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.