How to access _resource in context?

gunjan_prmr · February 13, 2020, 9:22pm

I have set up alert in Kibana for slack notification which works fine. I can access my trigger name by

{{ ctx.trigger.name }}

I want to access _source but I don't see that in ctx. How can I access that?

{{ ctx }} gives me following:

{
  monitor = {
    _id = ,
    _version = 1,
    name = Failed Order Alert - Gunjan,
    enabled = true
  }, trigger = {
    id = JjTeOnABiAzvZMW0wxvs,
    name = Failed Order Trigger,
    severity = 1,
    actions = [{
      name = JUST TESTING
    }]
  }, results = [{
    _shards = {
      total = 75,
      failed = 0,
      successful = 75,
      skipped = 0
    },
    hits = {
      hits = [],
      total = {
        value = 0,
        relation = eq
      },
      max_score = null
    },
    took = 5,
    timed_out = false
  }], periodStart = 2020 - 02 - 12 T21: 52: 50.671 Z, periodEnd = 2020 - 02 - 12 T21: 53: 50.671 Z, alert = null, error = null
}

Nathan_Reese · February 14, 2020, 2:17pm

_source will be in each object in hits.hits array. _source contains the original fields for documents. hits contains the search results from an _search request. You can find documentation about hits at https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html#search-api-response-body

gunjan_prmr · February 14, 2020, 4:18pm

gunjan_prmr:

{
  monitor = {
    _id = ,
    _version = 1,
    name = Failed Order Alert - Gunjan,
    enabled = true
  }, trigger = {
    id = JjTeOnABiAzvZMW0wxvs,
    name = Failed Order Trigger,
    severity = 1,
    actions = [{
      name = JUST TESTING
    }]
  }, results = [{
    _shards = {
      total = 75,
      failed = 0,
      successful = 75,
      skipped = 0
    },
    hits = {
      hits = [],
      total = {
        value = 0,
        relation = eq
      },
      max_score = null
    },
    took = 5,
    timed_out = false
  }], periodStart = 2020 - 02 - 12 T21: 52: 50.671 Z, periodEnd = 2020 - 02 - 12 T21: 53: 50.671 Z, alert = null, error = null
}

That is what I thought. In that case, why don't I see that in {{ ctx }} object I have pasted above?

gunjan_prmr · February 14, 2020, 4:20pm

That is what I thought. In that case, why don't I see that in {{ ctx }} object I have pasted above?

Nathan_Reese · February 14, 2020, 4:49pm

So the hits array is empty? What does your watch query look like? Are you setting size?

gunjan_prmr · February 14, 2020, 4:51pm

Here is my monitor and the blob I posted in my original question, that is the entire ctx object.

gunjan_prmr · February 14, 2020, 6:10pm

Here is the query. How can I define _source here?
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-30d",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}

gunjan_prmr · February 21, 2020, 6:03pm

I have resolved this. In Kibana logs, when you click on REFRESH button. it makes POST call where you can get the query and tweak it accordingly.

system · March 20, 2020, 6:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use Ctx Variable to access the source fields in Kibana Kibana	2	889	June 21, 2019
How to use {{#context.hits}} alert with an INDEX action? Kibana elastic-stack-alerting	1	685	November 16, 2023
Watcher Use Source Fields Elasticsearch elastic-stack-alerting	2	1157	May 28, 2019
Kibana Alerts accessing fields Kibana elastic-stack-alerting	2	2235	September 20, 2021
Watcher, hits array empty Kibana	3	1488	April 29, 2021

How to access _resource in context?

Related topics