Extraction query for monitor

Rashmita_Shetty · April 20, 2020, 6:33pm

Hello, I have recently built a few alerts in Kibana (7.1.1). The alerts that I have using the extraction method is to query a specific value in the field : CustomerEndpoint address.
I am trying to understand, if I had to add 2 values in the Endpoint address, how will I do so?
Should I be using array/ OR operator?
<
{
"match_phrase": {
"CustomerEndpoint.Address": {
"query": "xxxxx12345",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
]

Under the action items in trigger > there is a box for message preview , how can I add the some fields from _source in that message?

weltenwort · April 22, 2020, 11:04am

Hi @Rashmita_Shetty,

regarding your first question, you could either use a query_string query and spell out the OR or formulate two match_phrase queries and wrap them in a bool query's should clause.

As for the message trigger, it should support templating to allow for the inclusion of values from the triggering documents.

system · May 20, 2020, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to extract specific data from extraction query response Kibana elastic-stack-monitoring , elastic-stack-alerting	3	1552	July 8, 2021
Exact match on log message field Kibana elastic-stack-alerting	6	2694	February 22, 2022
Runtime field kibana Elasticsearch runtime-fields	2	698	March 1, 2023
Quering for a value between two strings Kibana	4	309	September 12, 2018
Elasticsearch query type alert in kibana alerts Kibana elastic-stack-alerting	6	604	June 24, 2021

Extraction query for monitor

Related Topics