How to create proper alert for multiple hits?

jackshan · April 5, 2023, 1:22pm

I have a scenario where i am matching two metadata along with "level" = "error". I am setting the time to last 15 minutes for running the query. The monitor does capture what i want, but when there are multiple hits in the last 15 minutes, the alert is messed up. The information is sent without any spaces between two different metadata.
This is my query below:

{
    "size": 10000,
    "query": {
        "bool": {
            "must": [
                {
                    "query_string": {
                        "query": "\"metadata1\" AND \"metadata2\"",
                        "default_field": "*",
                        "fields": [],
                        "type": "best_fields",
                        "default_operator": "or",
                        "max_determinized_states": 10000,
                        "enable_position_increments": true,
                        "fuzziness": "AUTO",
                        "fuzzy_prefix_length": 0,
                        "fuzzy_max_expansions": 50,
                        "phrase_slop": 0,
                        "analyze_wildcard": true,
                        "escape": false,
                        "auto_generate_synonyms_phrase_query": true,
                        "fuzzy_transpositions": true,
                        "boost": 1
                    }
                },
                {
                    "match_phrase": {
                        "level": {
                            "query": "error",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "{{period_end}}||-15m",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "epoch_millis",
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "_source": {
        "includes": [],
        "excludes": []
    },
    "stored_fields": "*",
    "docvalue_fields": [
        {
            "field": "@timestamp",
            "format": "date_time"
        },
        {
            "field": "start_time",
            "format": "date_time"
        },
        {
            "field": "timestamp",
            "format": "date_time"
        },
        {
            "field": "ts",
            "format": "date_time"
        }
    ],
    "script_fields": {
        "logSize": {
            "script": {
                "source": "doc['_size']",
                "lang": "painless"
            },
            "ignore_failure": false
        }
    },
    "sort": [
        {
            "@timestamp": {
                "order": "asc",
                "unmapped_type": "boolean"
            }
        }
    ],
    "aggregations": {
        "2": {
            "date_histogram": {
                "field": "@timestamp",
                "time_zone": "Asia/Kolkata",
                "interval": "3h",
                "offset": 0,
                "order": {
                    "_key": "asc"
                },
                "keyed": false,
                "min_doc_count": 1
            }
        }
    },
    "highlight": {
        "pre_tags": [
            "@kibana-highlighted-field@"
        ],
        "post_tags": [
            "@/kibana-highlighted-field@"
        ],
        "fragment_size": 2147483647,
        "fields": {
            "*": {}
        }
    }
}

And this is the message that i am using in the trigger:

{"markdown":"  \nExecutionReqId: ``{{#ctx.results.0.hits.hits}}{{_source.execRequestId}}{{/ctx.results.0.hits.hits}}`` \n \n ClientId: ``{{#ctx.results.0.hits.hits}}{{_source.clientId}}{{/ctx.results.0.hits.hits}}`` \n\n Logiflow Id: ``{{#ctx.results.0.hits.hits}}{{_source.logiflowId}}{{/ctx.results.0.hits.hits}}`` \n \nTraceID: ``{{#ctx.results.0.hits.hits}}{{_source.traceId}}{{/ctx.results.0.hits.hits}}``

Also, what's the correct documentation to follow for this?

Marius_Dragomir · April 15, 2023, 5:10am

Hello.
That looks like a Watcher query. Most of the documentation will be here: Watcher | Kibana Guide [8.7] | Elastic

I would recommend taking a look at Alerting as well since it has achieved parity in more user-friendly way in most places.

system · May 13, 2023, 5:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert query for multiple indexes Elasticsearch elastic-stack-alerting	2	1078	May 20, 2020
Elastisearch query rule type hits contains only one document Logs elastic-stack-alerting	16	1951	August 30, 2021
Not able to create Kibana alert on Json log due to match all is not working and time is coming as string Kibana elastic-stack-alerting	1	337	April 15, 2022
Watcher alert for matching multiple fields in same index Kibana elastic-stack-alerting	3	919	June 29, 2021
Create 1 alert monitor for missing logs on multiple index Kibana elastic-stack-alerting	2	290	March 2, 2023

How to create proper alert for multiple hits?

Related Topics