Currently have alerts setup based on extraction query. I have used aggregation to get summary counts by two fields. I would like to output the agg results in the body of the alert message. problem is, message will only send IF all ctx variables referenced actually resolve to a value. Not sure how to handle dynamic buckets in output. Any suggestions?
Extraction Query Response:
{
"_shards": {
"total": 2955,
"failed": 0,
"successful": 2955,
"skipped": 2170
},
"hits": {
"hits": ,
"total": 177,
"max_score": 0
},
"took": 1436,
"num_reduce_phases": 2,
"timed_out": false,
"aggregations": {
"1": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"2": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 74,
"key": "10.9.2.156-consle.log"
},
{
"doc_count": 74,
"key": "10.9.2.156-server.log"
},
{
"doc_count": 7,
"key": "10.9.2.156-messages"
}
]
},
"doc_count": 155,
"key": "ams-jboss"
},
{
"2": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 10,
"key": "10.9.2.188-messages"
},
{
"doc_count": 7,
"key": "10.9.1.151-messages"
},
{
"doc_count": 5,
"key": "10.9.1.197-messages"
}
]
},
"doc_count": 22,
"key": "annuity-services-b"
}
]
}
}
}
Looking to do something like this in message body:
Details of Kibana search result:
@log_group = {{ctx.results.0.aggregations.1.buckets.0.key}} - {{ctx.results.0.aggregations.1.buckets.0.doc_count}} total events across the following @log_streams:
{{ctx.results.0.aggregations.1.buckets.0.2.buckets.0.key}}
{{ctx.results.0.aggregations.1.buckets.0.2.buckets.1.key}}
{{ctx.results.0.aggregations.1.buckets.0.2.buckets.2.key}}
{{ctx.results.0.aggregations.1.buckets.0.2.buckets.3.key}}