I'm having a hard time trying to get the base events that triggered a threshold rule using a logstash pipeline. Right now I've built a KQL query that gives those documents, but still doesnt populate any field in the original event.
Code looks like:
input {
elasticsearch {
...data connection details to some elastic_instance_A
}
}
filter {
mutate {
add_field => { "field_i_need_to_fill" => "placeholder_data" }
}
elasticsearch {
tag_on_failure => '_noctlquerythreshold_exception'
index => "%{kibana.alert.rule.indices}"
query => "%{kql_query_that_gives_the_data} "
fields => {
"_id" => "field_i_need_to_fill"
}
}
}
Edit1. Already tried using doc_field and aggregation_field options of elasticsearch filter. Still no results.