How to get Hostname in email subject for Diskspace alert

Elastic Stack Elasticsearch
1

My issue also similar to this topic but I am not using any advance query, I can see my threshold query is executing but I want to see the host name in email subject

Here is my Threshold alert

33%20AM
Screen Shot 2018-06-26 at 11.13.33 AM.png764×288 15.8 KB

I want to see email notification as
Watch [Disk space] has exceeded the threshold on AWSN

Here is my email subject ( I tried couple of things like below)

   Watch [{{ctx.metadata.name}}] has exceeded the threshold on [{{ctx.payload.aggregations.beat.hostname}}]

   Watch [{{ctx.metadata.name}}] has exceeded the threshold on [{{ctx.payload.beat.hostname}}]

 Watch [{{ctx.metadata.name}}] has exceeded the threshold on [{{ctx.payload.beat.name}}]

Please help me to figure what I am missing to get hostname in email?

2

can you run the execute watch API in the dev tools for this watch and show us the result?

5

Thanks @spinscale I found the solution what I need from the community here but would like to know is there a way that I can see alerts for specific hosts with wildcard?, I have a multiple servers but I want to watch specifically on my AD servers.

Here is what I have now,

{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-15m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
},
"should": [
{
"match_phrase": {
"beat.hostname": "ADDC1"
}
},
{
"match_phrase": {
"beat.hostname": "ADDC2"
}
},
{
"match_phrase": {
"beat.hostname": "addctcde1"
}
}
],
"minimum_should_match": 1
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "beat.hostname",
"size": 10,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"max": {
"field": "system.filesystem.used.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 0.85
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"priority": "high",
"to": [
"test@domain.com",
],
"subject": "Watch [{{ctx.metadata.name}}] has exceeded the threshold on \n{{#ctx.payload.results}}{{key}}\n{{/ctx.payload.results}}",
"body": {
"text": "The following hosts have exceeded the threshold: \n{{#ctx.payload.results}}{{key}}:{{value}}\n{{/ctx.payload.results}}"
}
}
}
},
"metadata": {
"color": "red"
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = Math.round(arr[i]['metricAgg'].value100); if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"lang": "painless",
"params": {
"threshold": 85
}
}
}
}

6

Hey,

if you have a certain hostname scheme, you could use a prefix query in your watch that searches for ldap- in the hostname field (or sth similar), and thus find all the LDAP servers.

Hope that helps!

--Alex

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.