How to return results with ctx.payload

Elastic Stack Kibana
,
1

While creating a Kibana Alert and Trigger I have the following results from an extraction query response...and wondering how to properly use ctx.payload in the message(sending via webhook in slack) to return the Hospital results below..
Currently the message carries...and of course the Results section fails to return anything...

Thanks...

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

  • Trigger: {{ctx.trigger.name}}
  • Severity: {{ctx.trigger.severity}}
  • Period start: {{ctx.periodStart}}
  • Period end: {{ctx.periodEnd}}
  • Results: {{/ctx.payload}}

//Code begins below

{
    "_shards": {
        "total": 1,
        "failed": 0,
        "successful": 1,
        "skipped": 0
    },
    "hits": {
        "hits": [],
        "total": {
            "value": 27,
            "relation": "eq"
        },
        "max_score": null
    },
    "took": 2,
    "timed_out": false,
    "aggregations": {
        "2": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
                {
                    "1": {
                        "value": 1332
                    },
                    "3": {
                        "doc_count_error_upper_bound": 0,
                        "sum_other_doc_count": 11,
                        "buckets": [
                            {
                                "1": {
                                    "value": 249
                                },
                                "doc_count": 5,
                                "key": "PRISMA HEALTH  PATEWOOD HOSPITAL"
                            },
                            {
                                "1": {
                                    "value": 245
                                },
                                "doc_count": 5,
                                "key": "PRISMA HEALTH GREER MEMORIAL HOSPITAL"
                            },
                            {
                                "1": {
                                    "value": 99
                                },
                                "doc_count": 2,
                                "key": "MUSC HEALTH FLORENCE MEDICAL CENTER"
                            },
                            {
                                "1": {
                                    "value": 98
                                },
                                "doc_count": 2,
                                "key": "ANMED HEALTH"
                            },
                            {
                                "1": {
                                    "value": 98
                                },
                                "doc_count": 2,
                                "key": "PIEDMONT MEDICAL CENTER"
                            }
                        ]
                    },
                    "doc_count": 27,
                    "key": "hospital"
                }
            ]
        }
    }
}

//

2

Are you using watcher or Kibana's new alerts and actions?

Can you provide more context about what you are trying to do?

3

Yes thanks for asking. Using Alerts and Actions..so I know I can get a visualization to return the five top hospitals but was trying to use the trigger to send the results via my current Webhook..
I used a trigger that returned ( and yes it says top10..working on top5 first :slight_smile: )

Monitor JohnO-top10Infections_mod1 just entered alert status. Please investigate the issue.
- Trigger: Top Hospitals_MOD Test
- Severity: 3
- Period start: 2020-11-03T17:40:31Z
- Period end: 2020-11-03T17:41:31Z
- Results:

does that help?

4

And I just realized it is mustache so I changed to

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Results: {{ctx.results}}

and now get sent

Monitor JohnO-top10Infections_mod1 just entered alert status. Please investigate the issue.
- Trigger: Top Hospitals_MOD Test
- Severity: 3
- Period start: 2020-11-03T20:18:15.821Z
- Period end: 2020-11-03T20:19:15.821Z
- Results: {0={_shards={total=1, failed=0, successful=1, skipped=0}, hits={hits=[], total={value=10000, relation=gte}, max_score=null}, took=1, timed_out=false, aggregations={hospital={doc_count_error_upper_bound=0, sum_other_doc_count=0, buckets=[{1={value=171331.0}, doc_count=18988, 3={doc_count_error_upper_bound=-1, sum_other_doc_count=18833, buckets=[{1={value=20301.0}, doc_count=31, key=UNIVERSITY OF MD BALTIMORE WASHINGTON MEDICAL CENTER}, {1={value=11617.0}, doc_count=31, key=MEDSTAR SAINT MARY'S HOSPITAL}, {1={value=9585.0}, doc_count=31, key=HOWARD COUNTY GENERAL HOSPITAL}, {1={value=7980.0}, doc_count=31, key=UNION HOSPITAL OF CECIL COUNTY}, {1={value=7797.0}, doc_count=31, key=FREDERICK HEALTH HOSPITAL}]}, key=hospital}]}}}}

So now I need to just, I assume, work through a loop?

5

Hi @johno79,
Welcome to the Elastic community :slight_smile:

I'm sorry to say that looking at your configuration above I believe you're not in fact using Kibana's Alerting framework, but rather Amazon's OpenDistro for Elasticsearch.
This is not the Elastic distribution of Kibana, but rather an Amazon specific product (see the differences here). We unfortunately cannot offer support for Amazon's distribution, so you may have better luck asking in their forums.

It's also worth noting that we do have an alerting feature as part of our distribution as well, which we are happy to offer support for: https://www.elastic.co/what-is/kibana-alerting

6

Good point...we do run ELK and open distro...and you are right...our Production is ELK but I am doing this is dev so that may be open distro..

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.