ES query to trigger n no. of email/webhook based on document hits

Elastic Stack Kibana
1

We are using this below code to trigger email/webhook actions once the threshold is met.
But we are getting n no.of hits in one single email.
Example our threshold has met with10 documents. So 10 emails/webhook has to be triggered. But our code is triggering all 10 documents in One single email.

Below is our code
{{#context.hits}}

{ "additionalInformation": "{{_source.commonLabels.nodename}}",
"additionalText": "{{_source.commonLabels.service}}: Debug Logs not available ",
"alarmIdentifier": "themis-{{_source.commonLabels.alertname}}",
"eventType": "Themis-Alarm",
"managedObjectInstance": "{{_source.alerts.labels.severity}}",
"perceivedSeverity": "{{_source.alert.status",
"probableCause": "{{_source.alerts.annotations.description}}",
"specificProblem": "{{_source.alerts.annotations.summary}}",
"source": "{{_source.commonLabels.cluster}}"
}
{{/context.hits}}

PLEASE SUGGEST US HOW TO FIX THE ISSUE

2

PLease someone help us here.
we are stuck with the issue

3

@spinscale can you please help me

4

Hi @Amulya_Nanda,

To fix this problem, I would suggest trying the Index Threshold rule type which does not dedupe.

We are planning to release grouping for ES Query rules in 8.7, so that might also help to fix this issue.

Hopefully this helps!
-Alexi

5

@Alexandra_Doak
Actually we need to match a phrase using Elasticsearch query, like below image

image
image715×410 17.6 KB

And this condition is met for n no. of documents.
We need to trigger Email/webhook actions.

But we are getting all the documents within single email

image
image1856×530 45.1 KB

Our requirement is to trigger all those above documents in individual emails/webhook.

Looks like in Index threshold we can't integrate matching a phrase??
Please help us here.. we have been stuck from many days. Struggling to resolve the issue

6

Hi @Amulya_Nanda,

What version are you on? Does your document have a unique id field that you can group on?

-Alexi

7

Hi @Alexandra_Doak
8.5.2v we are using.
Yes we do have unique _id

How to group with id? please suggest here

8

To achieve the behavior you want, you will need to upgrade and then you can group by your unique ID. The grouping behavior for ES Query will be released in 8.7, so unfortunately you will have to wait until then.

-Alexi

9

Ok Sure @Alexandra_Doak
Thanks for the support

Is there any way we could achieve this using kibana watchers ?

10

I am not very familiar with Kibana Watcher, but here is a link to their documentation to help you get started.

-Alexi

1 Like
11

Sure @Alexandra_Doak

we are trying to trigger individual email actions in watcher for each document hits.
Is this possible in watchers?
How to write loop in email actions kibana watchers ?

12

I did a search through discuss to see if there are any other discuss topics that might help you, here is list of them: Search results for 'multiple actions from watcher' - Discuss the Elastic Stack.

Additionally, you can repost this question with Watcher in the title and hopefully someone from Watcher will pick it up and will be able to help you.

-Alexi

13

Thanks a lot for the help@Alexandra_Doak
Sure we will repost it..

1 Like
14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.