Hi there,
I'm using ELK 8.11.2
I have a use case about alerting and I found the type rule that matches perfectly with my use case, now I have created an alert using a custom threshold type rule but the problem is I can't call a field value like when I use the elasticsearh query type rule by using context.hits
I tried to do the same thing here but it gives me nothing in the message when the rule is firing. here is a snippet of the alert message. the point where I tried to call a field value
{
"short":true,
"title":"Container name",
"value":"{{#context.hits}} {{_source.kubernetes.container.name.keyword}} {{/context.hits}}"
}
I found this documentation that said context.hits is only for elasticsearch query type rule and I can't find documentation to do that using custom threshold type rule.
Here is the overview of my rule. the aggregation is document count, the threshold is 2 and I grouped it by kubernete.container.name field
Can anyone help with this, please?
I know, I can simply make a rule using an elastic query type rule, but if I do that. I would be flooding my cluster with so many rules. so I decided to use this type of rule.
Thanks