Email alert body readable format

Hi All ,

I have been recently introduced to ELK and been working on it for last 3-4 weeks . This is a totally new integration we are doing . I have gone through lot of articles which helped me a lot in achieving different areas on alert creation , Anomalies detection , using grok filters and all .

Currently I am working on creating an email alert by using below Elasticsearch Query and I want to trigger an email with readable format , like it should show the regex given in the query along with the matching document count for that particular regex .

{
  "query": {
    "query_string": {
      "query": "message :\"Logged in is\"~3  or message : \"Attempting login\" "
    }
  }
}

I am able to get the full query using {{params.esQuery}} and total document count using {{context.value}} .

But is there a way I can achieve individual regex and its matching document count instead of full query or total count .

For example below which I am using for {{context.hits}} to access the values inside the documents coming in response .

{{#context.hits}}
Message is == {{_source.message}}
Host Name is == {{_source.host.name}}
{{/context.hits}}

Sample Response

{"_index":"filebeat-7.13.0-2021.07.21","_type":"_doc","_id":"3Yl1yHoB6hcKaN7o-7na","_score":null,"_source":{"host":{"architecture":"x86_64","ip":["10.128.117.83"],"mac":[""],"id":"","name":"","":{"version":"10.0","platform":"windows","family":"windows","build":"","kernel":"","name":"Windows 10 Enterprise","type":"windows"},"hostname":""},"log":{"offset":150083,"file":{"path":""}},"message":"2021-07-21 15:16:48,255 [LoginController.java:hybrisHTTP40:115] - Logged in user is saswatmishra94@gmail.com","tags":["beats_input_codec_plain_applied"],"@version":"1","ecs":{"version":"1.8.0"},"input":{"type":"log"},"agent":{"version":"7.13.0","ephemeral_id":"","id":"183d0f9d-af2a-440f-a9cb-338a60429278","name":"","hostname":"","type":"filebeat"},"@timestamp":"2021-07-21T09:46:50.767Z"},"fields":{"@timestamp":["2021-07-21T09:46:50.767Z"]},"sort":[1626860810767]}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.