How to remove _id, _index, _type, num_matches, num_hits and @timestamp from elastialert rules

MdRashid · May 24, 2021, 12:49pm

Hi All,

Below is the content which im getting in my gmail inbox. I want to

remove _id, _index, _type, num_matches, num_hits and @timestamp

all this only i want message to be include in my email triggering everytime.

Below is getting into gmail inbox

@timestamp: 2021-05-24T11:16:06Z
_id: 2S0WnnkBz7SOxaiw1TZk
_index: logstash-2021.05.24
_type: _doc
message: <30>May 24 11:16:06 fx-prod-1 prod_fx-control-plane.1.knel5yam 2021-05-24 11:16:06.926 INFO 1 --- [nio-8080-exec-9] com.fxlabs.fxt.rest.run.RunController : Find Latest by job id [8a8089ba777311370177734530902ec8] org [8a8081066e02d6a2016e04eacd2005c7] principal [8a808155647d283a01647d7c5e0d07ba]
num_hits: 8
num_matches: 1

and

Here is the rules.yaml file which i used to trigger email for issue

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

es_host: elasticsearch.test.com
# (Optional)
# Elasticsearch port
#es_port: 14900
es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
es_username: testelastic
es_password: xxxx


# (Required)
# Rule name, must be unique
name: Exception Alert

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
#type: blacklist
type: any
include: ["message"]

# (Required)
# Index to search, wildcard supported
#index: logstash*
index: filebeat*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
#num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
#  hours: 1
#  minutes: 1
  seconds: 1

#compare_key: "message"

#blacklist:

#- "error"

realert:
  minutes: 5

 # This is send out all matches in one email
# aggregation:
#  minutes: 1

#  seconds: 0
#filter:
#- term:
#    message: "[error]"

#filter:
# - match:
 #   message: "job"

filter:
 - query:
      query_string:
 #       query: "message: exception AND  message: control"
        query: "message: job"
#filter:
#- query:
#   query_string:
#    query: "message: error"

alert:

- "slack"
- "email"


#- slack
slack_webhook_url: "https://hooks.slack.com/services/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"
#slack_username_override: "ElastAlert"
slack_username_override: "Mohd Rashid"

#- email
email: ["rashidmd777@gmail.com"]
smtp_host: "smtp.gmail.com"
smtp_port: "587"
from_addr: "rashidmd777@gmail.com"

How to do it, Please do let me ASAP

Christian_Dahlqvist · May 24, 2021, 4:04pm

I would recommend you reach out to the Elastalert community as it is a 3rd party component. Not sure how many here have experience with it.

MdRashid · May 24, 2021, 5:58pm

Elastalert doesnt have any community to post my issue

dadoonet · May 24, 2021, 6:27pm

May be here?

system · June 21, 2021, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.