I have a scenario where i am matching two metadata along with "level" = "error". I am setting the time to last 15 minutes for running the query. The monitor does capture what i want, but when there are multiple hits in the last 15 minutes, the alert is messed up. The information is sent without any spaces between two different metadata.
This is my query below:
{
"size": 10000,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "\"metadata1\" AND \"metadata2\"",
"default_field": "*",
"fields": [],
"type": "best_fields",
"default_operator": "or",
"max_determinized_states": 10000,
"enable_position_increments": true,
"fuzziness": "AUTO",
"fuzzy_prefix_length": 0,
"fuzzy_max_expansions": 50,
"phrase_slop": 0,
"analyze_wildcard": true,
"escape": false,
"auto_generate_synonyms_phrase_query": true,
"fuzzy_transpositions": true,
"boost": 1
}
},
{
"match_phrase": {
"level": {
"query": "error",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-15m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"_source": {
"includes": [],
"excludes": []
},
"stored_fields": "*",
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "start_time",
"format": "date_time"
},
{
"field": "timestamp",
"format": "date_time"
},
{
"field": "ts",
"format": "date_time"
}
],
"script_fields": {
"logSize": {
"script": {
"source": "doc['_size']",
"lang": "painless"
},
"ignore_failure": false
}
},
"sort": [
{
"@timestamp": {
"order": "asc",
"unmapped_type": "boolean"
}
}
],
"aggregations": {
"2": {
"date_histogram": {
"field": "@timestamp",
"time_zone": "Asia/Kolkata",
"interval": "3h",
"offset": 0,
"order": {
"_key": "asc"
},
"keyed": false,
"min_doc_count": 1
}
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fragment_size": 2147483647,
"fields": {
"*": {}
}
}
}
And this is the message that i am using in the trigger:
{"markdown":" \nExecutionReqId: ``{{#ctx.results.0.hits.hits}}{{_source.execRequestId}}{{/ctx.results.0.hits.hits}}`` \n \n ClientId: ``{{#ctx.results.0.hits.hits}}{{_source.clientId}}{{/ctx.results.0.hits.hits}}`` \n\n Logiflow Id: ``{{#ctx.results.0.hits.hits}}{{_source.logiflowId}}{{/ctx.results.0.hits.hits}}`` \n \nTraceID: ``{{#ctx.results.0.hits.hits}}{{_source.traceId}}{{/ctx.results.0.hits.hits}}``
Also, what's the correct documentation to follow for this?