I'm using Kibana to set up alerts, and in my alert email templates, I include the {{context.link}} variable to provide a link to the Discover page. However, when clicking this link, I want specific fields like kubernetes.container.name and message to be displayed automatically in the Discover view.
I've tried appending parameters to the link like this: {{context.link}}&_a=(columns:!(kubernetes.container.name,message)),
but it doesn’t seem to work — the fields still don't show up.
Is there a way to modify the {{context.link}} or include specific fields/columns in the Discover view when users click the link? If this isn't possible directly, are there alternative solutions to achieve this?
First of all, I am not sure about how to share a discover link within an alert trigger.
And to give more context for the alert:
I have actually multiple alerts on different container and once a day the alert checks if my query KQL is met. If so, then it triggers the action that sends an email with the url link to check the logs retrieved from the query.
Upon receiving the email, I click on the link which leads me to the discover screen from that query but there I have no selected field, but I would like to a have some fields already displayed such as message or the container name for more efficiency.
Currently it is set to
Time : 2024-11-25T10:39:31.310961588Z
-24h : Time to last 24 hours
This time you need to pull from the Watcher firing time & instead of 24 hours whatever time you want to show this is generally shown as per the interval time of Watcher , if it is scheduled to run every 4 hours than -4h, if every 1h than 1h so need to set this as per your requirement.
And this URL should be used in your alert which is dynamic.
Hope this helps. Please let me know incase if this understanding is wrong?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.