Elast alert substring

elastic_interogation · June 19, 2025, 2:14pm

Hello,

I am trying to parse my alerts, I want to get only a substring of a field (my field name is message).

Let me give you an example, actually, I use:

{
  "text": """
{{#context.hits}}
  - {{_source.message}}
{{/context.hits}}"""
}

And that display:

my first message12345
my second message56537

But I want only to select the 12 last character of each message, the result should be:

message12345
message56537

How can I do that, I have tried substring(12) but it is not working.

Any ideas ?
Many thanks

Tortoise · June 19, 2025, 2:48pm

Hello @elastic_interogation

I believe the easiest way will be to have an ingest pipeline and save the last 12 characters in a new field message_alert & this field you can use in your alerting.

Thanks!!

Topic		Replies	Views
Extract a substring from field Kibana	4	6189	April 19, 2019
Elastic 2.4 - Get substring of text field Elasticsearch	1	414	January 28, 2020
Index a substring Kibana	3	1006	June 29, 2019
Unable to parse substring of a message in logstash Logstash	1	630	September 29, 2017
Get 10 characters before substring in logstash? Logstash	7	6709	August 22, 2017

Elast alert substring

Related topics