How to include specific fields (columns) in Kibana Discover links in alert emails?

Hi everyone,

I'm using Kibana to set up alerts, and in my alert email templates, I include the {{context.link}} variable to provide a link to the Discover page. However, when clicking this link, I want specific fields like kubernetes.container.name and message to be displayed automatically in the Discover view.

I've tried appending parameters to the link like this:
{{context.link}}&_a=(columns:!(kubernetes.container.name,message)),
but it doesn’t seem to work — the fields still don't show up.

Is there a way to modify the {{context.link}} or include specific fields/columns in the Discover view when users click the link? If this isn't possible directly, are there alternative solutions to achieve this?

Thanks in advance for your help!

Hello,

Can we create a search and save it in discover & share this link for your alert?

Thanks!!

Hello,

Thank you for your answer.

First of all, I am not sure about how to share a discover link within an alert trigger.

And to give more context for the alert:

I have actually multiple alerts on different container and once a day the alert checks if my query KQL is met. If so, then it triggers the action that sends an email with the url link to check the logs retrieved from the query.

Upon receiving the email, I click on the link which leads me to the discover screen from that query but there I have no selected field, but I would like to a have some fields already displayed such as message or the container name for more efficiency.

Thank you !

Thank you for the information.

The steps i was asking to follow is as below :

  1. Go to discover & apply all the filter,columns you want to see.
  2. Save this view will all filters/columns with a name ABC
  3. Now you clear all the filters & on discover we will see Open > ABC
  4. On selecting ABC it should auto apply the filters & view will be shown.
  5. Now we have a URL which is formed for this specific view
  6. From the URL you get, it needs to be configured to below :
    https://yourURL/app/discover#/view/yourview_id?_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3A'2024-11-25T10:39:31.310961588Z||-24h'%2Cmode%3Aabsolute%2Cto%3A'2024-11-25T10:39:31.310961588Z'))

Currently it is set to
Time : 2024-11-25T10:39:31.310961588Z
-24h : Time to last 24 hours

This time you need to pull from the Watcher firing time & instead of 24 hours whatever time you want to show this is generally shown as per the interval time of Watcher , if it is scheduled to run every 4 hours than -4h, if every 1h than 1h so need to set this as per your requirement.

And this URL should be used in your alert which is dynamic.

Hope this helps. Please let me know incase if this understanding is wrong?

Thanks!!

It totaly helps, that is exactly what I needed.

Thank you for your time and help !

1 Like