Hello,
Question about adding alerts for threshold rules.
Am I correct assuming that the field kibana.alert.new_terms and it's value cannot be added to the alert data sent as context?
Is there some way to always add this field when available?
Willem
In 8.13 this field is possible to add per alert document in the Assistant dialog opened within Alert flyout. Alert document will be added as a message context with the list of all the fields, which have a value. In that similar anonymization table you can manage what is send/anonymized, but for the particular document (but only if the field has value).
Is there some way to always add this field when available?
In 8.14 is added support for a centralized anonymization, where you can persist this as a setting.
Hello @Yuliia_Naumenko
Thanks for your answer.
Unfortunately we are on 8.13 and I cannot find the field in the threshold alert in the assistant.
This is a very important field used in a lot of rules. Can it please be added by Elastic by default?
Tx
Is the field kibana.alert.new_term filled with the value on the Table/JSON view of the Alert flyout?
This is a very important field used in a lot of rules. Can it please be added by Elastic by default?
We will definitely consider this request.
Blockquote
Hello Yuliia,
APparently I mixed up kibana.alert.new_terms and kibana.alert.threshold_result.terms.value
I do find it when looking for the correct field... 
Thanks for the help!
This is a very important field used in a lot of rules. Can it please be added by Elastic by default?
I do find kibana.alert.threshold_result.terms.value, but it would be nice if that was also added by default imho.
Willem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
