Alert Rule Triggered but No Data in Webhook Payload or Email Notification

Bhanu_Prasad_Santhal · July 3, 2025, 2:29am

Title:
Alert Rule Triggered but No Data in Webhook Payload or Email Notification

Hi Elastic team,

I'm currently working with Kibana 9.0.3 in Elastic Cloud and running into a problem where my alerting rule seems to detect events properly, but no meaningful data is being sent to the configured Webhook or Email connectors.

Setup Details:
Elasticsearch version: 9.0.3 (Elastic Cloud)

Kibana Rule Type: Elasticsearch Query

Query:
eventid: "cowrie.login.failed"

The query matches documents correctly in Discover — verified by searching and seeing real login failure events, including fields like src_ip, username, message, etc.

What Works:
I have created a Webhook connector pointing to Webhook.site, which works with test payloads.

Test payloads like:

{
"debug": "TEST1"
}
successfully appear in the Webhook logs.

Email notifications also work using the test button.

What Doesn’t Work:
When the alert rule runs and triggers based on the simulated attack:

The Webhook payload contains only {"debug": ""} or an empty string, even though matching events exist.

The same happens with email templates using {{context.results}} — they come through blank or empty.

Even using {{{JSON.stringify context}}} shows {} as the output.

Webhook Body (Action):

{
"debug": "{{{JSON.stringify context.results}}}"
}
Also tried:

{
"debug": "{{{JSON.stringify context}}}"
}
Still results in an empty payload.

Alert Rule Settings:
Rule Type: Elasticsearch query

Schedule: Every 1 minute

Alert after: 1 consecutive match

Flapping detection: ON

The rule is enabled and running

The Preview Results button shows hits successfully

Observations:
The documents clearly match the query — and contain the data I want (e.g. src_ip, username, etc.)

But context.results appears to be empty or inaccessible when the rule triggers the action.

Test actions (manual) work fine. It’s the real execution that fails to populate data.

What I Need Help With:
Why is context.results empty when the rule is triggered, even though hits are detected?

Is there something wrong with how I'm referencing context in the Webhook body?

Are there known limitations or bugs in Kibana 9.0.3 affecting context.results for Elasticsearch Query rules?

Any insight or pointers are much appreciated

Tortoise · July 3, 2025, 5:44am

Hello @Bhanu_Prasad_Santhal

Welcome to the community!!

I have tried in 9.0.3 and do not see any issue. Tried using webhook.site as well, to start with try below in action :

{
    "debug" : "{{context}}"
}

You will receive all the details in debug . As per your requirement can fetch the fields from context.

Thanks!!

Topic		Replies	Views
Using the context. in Body of E-mail for rules and connection Kibana detection-rules	1	323	February 21, 2024
Kibana Email Alert Kibana elastic-stack-alerting	8	4267	July 1, 2022
The content of the field is not shown in alert Elasticsearch elastic-stack-alerting	11	2424	August 19, 2022
Create Alert from index data Kibana elastic-stack-alerting	5	1874	August 16, 2022
Elastic Stack ES\|QL Alert Not Passing Fields to TheHive Webhook Kibana elastic-stack-security , elastic-stack-alerting , docker	1	32	August 5, 2025

Alert Rule Triggered but No Data in Webhook Payload or Email Notification

Related topics