Elasticsearch query type alert in kibana alerts

Elastic Stack Kibana
1

I am creating elasticsearch query type alerts in Kibana Alerts and Action section. I have put a condition to send an alert when blacklist IP met with threshold condition in my query.
Alerts are generated in index with predefined variables only. Is it possible to add some additional fields in notification message from index on which query is applied ? for eg: I am using destination.ip in my query as a blacklist ip and I want to add destination.ip field in notification message. My document to index in alert is below:

{
"log_type": "Packetbeat",
"context_message": "This is destination IP{{context.message}}",
"alert_id": "{{alertId}}",
"destination.ip": "{{destination.ip}}",
"alert_name": "{{alertName}}",
"alert_instance_id": "{{alertInstanceId}}"
}

I tried above query but "destination.ip": "{{destination.ip}}", is stroring empty data.

Thanks

2

Can you share a sample doc? Mappings?
Thanks

3

This is mapping doc for my alert, I want to add IP in my alert index.
{
"alert_test" : {
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"alert_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"alert_instance_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"alert_name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"context_message" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"destination" : {
"properties" : {
"ip" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"ip_addr" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"log_type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}

4

Did you try destination.ip.keyword?

5

yes this IP I want to fetch from logs index to alert index

6

Yes I tried that too then it was going blank

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.