Include name of downed monitor in XPack alert

jmadkins · October 22, 2019, 2:10am

Following this guide, I have a work alert to OpsGenie when a monitor goes down. However, the alert the is generated is so unhelpful and requires logging into Kibana.

Is there a way to customize the title of the alert that is sent to OpsGenie so that I can include the name of the monitors that triggered the alert?

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "term": {
                    "monitor.status": {
                      "value": "down"
                    }
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-1m"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "opsgenie": {
      "webhook": {
        "scheme": "https",
        "host": "api.opsgenie.com",
        "port": 443,
        "method": "post",
        "path": "/v1/json/eswatcher",
        "params": {
          "apiKey": "value"
        },
        "headers": {
          "Content-Type": "application/html"
        },
        "body": "{{#toJson}}ctx{{/toJson}}"
      }
    }
  }
}

Andrew_Cholakian1 · October 24, 2019, 8:37pm

So, with watch ctx.payload is just a regular elasticsearch response. To get a monitor ID from the first matched doc you'd use:

{{ctx.payload.hits.hits.0._source.monitor.id}}

You might also want to read the watcher docs.

You probably also want to create a watch per monitor, since this will only report the first matched monitor. Alternatively you can use aggregations to make a single monitor that watches everything, but that's tricky. If you have a lot of monitors you may want to script that.

As a heads up we're working on a new alerting solution that should be much easier to use (and graphically based), but that won't be available in the near term.

system · November 21, 2019, 8:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.