I am trying to output search timestamp range in alert notification message rather than the monitor start/end time. Using a 5 minute offset in search.
"range": {
"@timestamp": {
"from": "{{period_end}}||-6m",
"to": "{{period_end}}||-5m",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
UI indicates that only ctx variables are available for painless scripting. {{ctx.periodStart}} and {{ctx.periodEnd}} represent the monitor interval time. Any ideas on how to solve this?
Working extraction query code:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "\"Cause = 504 Gateway Time-out\"",
"fields": [],
"type": "best_fields",
"default_operator": "or",
"max_determinized_states": 10000,
"enable_position_increments": true,
"fuzziness": "AUTO",
"fuzzy_prefix_length": 0,
"fuzzy_max_expansions": 50,
"phrase_slop": 0,
"analyze_wildcard": true,
"escape": false,
"auto_generate_synonyms_phrase_query": true,
"fuzzy_transpositions": true,
"boost": 1
}
},
{
"match_phrase": {
"@owner": {
"query": "Production",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-6m",
"to": "{{period_end}}||-5m",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"version": true
}