Hello,
Is there an easy way to have a Watcher action (let's say webhook) that can generate a link to Kibana with the query matching the data that triggered the alert? The idea being, I want to send a notification of new errors in logs, and the notification should contain a link - clicking this link should execute the search that triggered the alert.
Thanks,
Andrey
Hi Andrey,
This should, in general, be possible today, though a lot depends on the specific Watches you create - Watcher gives you a lot of flexibility!
Here's the approach I would use:
Create a Dashboard that shows the appropriate supporting information for the Watch. When you create the watch, you can store the Dashboard URL in the watch metadata (example of metadata use). Then you can reference this metadata in your action (email, webhook, etc) using templating as ctx.metadata.yourpropertyname
If you wanted to see the individual documents, you could do the same thing using the URL to a saved search on the Discover page.
Hope that helps!
Cheers,
Steve
Hi Steve,
Thanks for your response. That seems reasonable, though here is one caveat... the watches are time-sensitive. So let's say my watch executes every 60 min, and queries over those past 60 min. If I have a saved search in Kibana, can I provide a url that will limit the query to that specific 60 min window?
Thanks,
Andrey
Hi Andrey,
We don't document the Kibana URL structure/format, and we are planning to make some changes to it, but in the short term, you should be able to specify the time range relatively easily. To see how, change the date range to absolute in your dashboard view, and observe the URL that is created. It will have something like ?_g=(refreshInterval:(display:Off,pause:!f,section:0,value:0),time:(from:'2016-02-10T16:00:28.681Z',mode:absolute,to:'2016-08-11T15:00:28.681Z')) somewhere in the URL itself. Your Watch could use templating to replace those dates.
See here: Access discover tab with parameters for a broader example of applying filters.
Again, a word of caution - we're planning to change the URL format in future versions, so this won't work forever and isn't something the Kibana team can directly support. Having things like this customizable via URL is something we'd like to maintain with future approaches, but the details of what's coming are TBD. See: https://github.com/elastic/kibana/issues/4338 for some context!
Thanks,
Steve
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.