Extraction query for monitor

Rashmita_Shetty · April 20, 2020, 6:33pm

Hello, I have recently built a few alerts in Kibana (7.1.1). The alerts that I have using the extraction method is to query a specific value in the field : CustomerEndpoint address.
I am trying to understand, if I had to add 2 values in the Endpoint address, how will I do so?
Should I be using array/ OR operator?
<
{
"match_phrase": {
"CustomerEndpoint.Address": {
"query": "xxxxx12345",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
]

Under the action items in trigger > there is a box for message preview , how can I add the some fields from _source in that message?

weltenwort · April 22, 2020, 11:04am

Hi @Rashmita_Shetty,

regarding your first question, you could either use a query_string query and spell out the OR or formulate two match_phrase queries and wrap them in a bool query's should clause.

As for the message trigger, it should support templating to allow for the inclusion of values from the triggering documents.

Topic		Replies	Views
Kibana Alerts accessing fields Kibana elastic-stack-alerting	2	2624	September 20, 2021
[Kibana painless alert] Unable to read a string value from an array Kibana	2	533	November 2, 2020
Match filter queries with OR instead of AND Elasticsearch elastic-stack-alerting	1	239	October 13, 2022
Surfacing Index Field Values in Kibana Alerts Kibana elastic-stack-alerting	2	3825	May 8, 2022
In kibana(KQL), In the message field need to combine two conditions Kibana	3	506	November 30, 2021

Extraction query for monitor

Related topics