How to loop over the ctx results, so as to send the extracted details in email alert?

Elastic Stack Kibana
,
1

The result set for example is :
{
"_shards": {
"total": 14,
"failed": 0,
"successful": 14,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "logs-cfsyslog-2023.07.26",
"_type": "_doc",
"_source": {
"msg": "-",
"referer": "-",
"request_size_b": 7586,
"x_forwarded_host": "-",
"type": "request",
"response_status": 502,
"correlation_id": "caef30ae-e285-430b-5d07-0a9a36c34019"
},
"_id": "RWbSkYkBtg3oak8jtmYg",
"_score": 2.2181222
},
{
"_index": "logs-cfsyslog-2023.07.24",
"_type": "_doc",
"_source": {
"msg": "-",
"referer": "-",
"request_size_b": 610,
"x_forwarded_host": "-",
"response_status": 502,
"correlation_id": "63323fc8-efba-424f-69a9-adc7e313dcb1"
},
"_id": "vY7KhokBjssTDO_uKkRP",
"_score": 2.148272
},
{
"_index": "logs-cfsyslog-2023.07.22",
"_type": "_doc",
"_source": {
"msg": "-",
"referer": "-",
"response_status": 500,
"correlation_id": "7f0b2e77-387f-468d-6bfc-5a4b710668f2"
},
"_id": "84ipf4kBjssTDO_uZFYk",
"_score": 2.0124397
}
],
"total": {
"value": 3,
"relation": "eq"
},
"max_score": 2.2181222
},
"took": 3,
"timed_out": false
}

I want to extract the correlation_id and response_status for each of the documents returned in the resultset and add the same in the email alert.

the sample which I am using right now is returning only single first value. I want to know the way of looping over the resultset.
Sample used by me for email alert is -
{
"eventType": "KibanaAlert",
"resource": {
"resourceName": "{{ctx.trigger.name}}",
"resourceType": "cloud-resource"
},
"severity": "WARNING",
"category": "ALERT",
"subject": "Kibana Alert by {{ctx.trigger.name}} triggered",
"body": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue. CorrelationId is :{{ctx.results.0.hits.hits.0._source.correlation_id}},Response status is :{{ctx.results.0.hits.hits.0._source.response_status}}",
"tags": {
"ctx.monitor.name": "{{ctx.monitor.name}}",
"ctx.trigger.name": "{{ctx.trigger.name}}",
"ctx.periodStart": "{{ctx.periodStart}}",
"ctx.periodEnd": "{{ctx.periodEnd}}",
"ctx.trigger.severity": "{{ctx.trigger.severity}}",
"ctx.results":"{{ctx.results.0.hits.hits.0._source.correlation_id}}"

}

}

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.