How to get kubernetes namespace in webhook alert payload?

Elastic Stack Kibana
1

Hi. Does anyone know how to get kubernetes namespace in webhook alert payload from metricbeat k8s module? Or more generically, how to access the event data to include in the payload?

I installed metricbeat on kubernetes using this guide: Run Metricbeat on Kubernetes | Metricbeat Reference [7.15] | Elastic

and I got this data:

Screenshot from 2021-10-15 06-32-40
Screenshot from 2021-10-15 06-32-401058×603 57.9 KB

However, when I created a webhook alert, with this payload to see the all available properties:

alert:
{{alert}}

context:
{{context}}

This is the only data included:

alert:
{\"id\":\"ubuntu\",\"actionGroup\":\"metrics.inventory_threshold.fired\",\"actionGroupName\":\"Alert\"}

context:
{\"group\":\"ubuntu\",\"alertState\":\"ALERT\",\"reason\":\"CPU usage is greater than a threshold of 80 (current value is 99.9%)\",\"timestamp\":\"2021-10-14T22:56:11.799Z\",\"value\":{\"condition0\":\"99.9%\"},\"threshold\":{\"condition0\":[80]},\"metric\":{\"condition0\":\"cpu\"}}

Anyone know how to include the kubernetes.namespace from the source to the alert payload? I need it to be able to identify the pod in the alert uniquely.

2

Hey @AndyLibrian,

I don't believe you're able to access the entire document for those alerts in the context of the webhook payload.

However, if you're able to craft your alert as an Elasticsearch query alert, you'll get access some documents in your payload.

I set one up with a payload defined like this:

{{context.hits.0}}

{{context.hits.0._source.agent}}

which resulted in this:

{\"_index\":\"kibana_sample_data_logs\",\"_type\":\"_doc\",\"_id\":\"OvoYpHwBZdnJynTDaaMV\",\"_score\":null,\"_source\":{\"agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\",\"bytes\":6928,\"clientip\":\"34.98.136.159\",\"extension\":\"\",\"geo\":{\"srcdest\":\"IN:CA\",\"src\":\"IN\",\"dest\":\"CA\",\"coordinates\":{\"lat\":41.87877778,\"lon\":-92.28456944}},\"host\":\"www.elastic.co\",\"index\":\"kibana_sample_data_logs\",\"ip\":\"34.98.136.159\",\"machine\":{\"ram\":17179869184,\"os\":\"win 7\"},\"memory\":null,\"message\":\"34.98.136.159 - - [2018-08-02T20:06:51.816Z] \\\"GET /elasticsearch HTTP/1.1\\\" 200 6928 \\\"-\\\" \\\"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\\\"\",\"phpmemory\":null,\"referer\":\"http://www.elastic-elastic-elastic.com/success/ulrich-walter\",\"request\":\"/elasticsearch\",\"response\":200,\"tags\":[\"success\",\"info\"],\"timestamp\":\"2021-10-21T20:06:51.816Z\",\"url\":\"https://www.elastic.co/downloads/elasticsearch\",\"utc_time\":\"2021-10-21T20:06:51.816Z\",\"event\":{\"dataset\":\"sample_web_logs\"}},\"fields\":{\"@timestamp\":[\"2021-10-21T20:06:51.816Z\"]},\"sort\":[1634846811816]}

Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1

Hope this helps.
Brian

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.