How to access _resource in context?

gunjan_prmr · February 13, 2020, 9:22pm

I have set up alert in Kibana for slack notification which works fine. I can access my trigger name by

{{ ctx.trigger.name }}

I want to access _source but I don't see that in ctx. How can I access that?

{{ ctx }} gives me following:

{
  monitor = {
    _id = ,
    _version = 1,
    name = Failed Order Alert - Gunjan,
    enabled = true
  }, trigger = {
    id = JjTeOnABiAzvZMW0wxvs,
    name = Failed Order Trigger,
    severity = 1,
    actions = [{
      name = JUST TESTING
    }]
  }, results = [{
    _shards = {
      total = 75,
      failed = 0,
      successful = 75,
      skipped = 0
    },
    hits = {
      hits = [],
      total = {
        value = 0,
        relation = eq
      },
      max_score = null
    },
    took = 5,
    timed_out = false
  }], periodStart = 2020 - 02 - 12 T21: 52: 50.671 Z, periodEnd = 2020 - 02 - 12 T21: 53: 50.671 Z, alert = null, error = null
}

Nathan_Reese · February 14, 2020, 2:17pm

_source will be in each object in hits.hits array. _source contains the original fields for documents. hits contains the search results from an _search request. You can find documentation about hits at https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html#search-api-response-body

gunjan_prmr · February 14, 2020, 4:18pm

gunjan_prmr:

{
  monitor = {
    _id = ,
    _version = 1,
    name = Failed Order Alert - Gunjan,
    enabled = true
  }, trigger = {
    id = JjTeOnABiAzvZMW0wxvs,
    name = Failed Order Trigger,
    severity = 1,
    actions = [{
      name = JUST TESTING
    }]
  }, results = [{
    _shards = {
      total = 75,
      failed = 0,
      successful = 75,
      skipped = 0
    },
    hits = {
      hits = [],
      total = {
        value = 0,
        relation = eq
      },
      max_score = null
    },
    took = 5,
    timed_out = false
  }], periodStart = 2020 - 02 - 12 T21: 52: 50.671 Z, periodEnd = 2020 - 02 - 12 T21: 53: 50.671 Z, alert = null, error = null
}

That is what I thought. In that case, why don't I see that in {{ ctx }} object I have pasted above?

gunjan_prmr · February 14, 2020, 4:20pm

That is what I thought. In that case, why don't I see that in {{ ctx }} object I have pasted above?

Nathan_Reese · February 14, 2020, 4:49pm

So the hits array is empty? What does your watch query look like? Are you setting size?

gunjan_prmr · February 14, 2020, 4:51pm

Here is my monitor and the blob I posted in my original question, that is the entire ctx object.

gunjan_prmr · February 14, 2020, 6:10pm

Here is the query. How can I define _source here?
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-30d",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}

gunjan_prmr · February 21, 2020, 6:03pm

I have resolved this. In Kibana logs, when you click on REFRESH button. it makes POST call where you can get the query and tweak it accordingly.

system · March 20, 2020, 6:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use {{#context.hits}} alert with an INDEX action? Kibana elastic-stack-alerting	1	672	November 16, 2023
Watcher Use Source Fields Elasticsearch elastic-stack-alerting	2	1157	May 28, 2019
Kibana Alerts accessing fields Kibana elastic-stack-alerting	2	2221	September 20, 2021
Using ctx.results Variable in a Message Kibana painless	3	3263	March 6, 2020
Cannot figure out how to get data from _source into Watch Output Elasticsearch	9	4805	June 20, 2017

How to access _resource in context?

Related Topics