Kibana alert with index connector: indexing {{context}} as JSON

Elastic Stack Kibana
1

Hi,

I am trying to setup an ES query alert using an index connector. I would like to have a similar behavior to the predefined alert index, but my ELK version is 7.12 and that index was not available for that version.

I am creating an index with the following configuration:

PUT /lb_dc_alerts/_mapping
{
  "_doc": {
    "dynamic": "false",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "event": {
        "properties": {
          "kind": {
            "type": "keyword"
          }
        }
      },
      "kibana": {
        "properties": {
          "alert": {
            "properties": {
              "actionGroup": {
                "type": "keyword"
              },
              "actionGroupName": {
                "type": "keyword"
              },
              "actionSubgroup": {
                "type": "keyword"
              },
              "context": {
                "type": "object",
                "enabled": false
              },
              "id": {
                "type": "keyword"
              }
            }
          }
        }
      },
      "message": {
        "type": "text",
        "norms": false
      },
      "rule": {
        "properties": {
          "author": {
            "type": "keyword"
          },
          "category": {
            "type": "keyword"
          },
          "id": {
            "type": "keyword"
          },
          "license": {
            "type": "keyword"
          },
          "name": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword"
              }
            }
          },
          "params": {
            "type": "object",
            "enabled": false
          },
          "space": {
            "type": "keyword"
          },
          "type": {
            "type": "keyword"
          }
        }
      },
      "tags": {
        "type": "keyword",
        "ignore_above": 1024,
        "meta": {
          "isArray": "true"
        }
      }
    }
  }
}

And then, once creating the alert I configure the document to index as follows:

{
  "@timestamp": "{{date}}",
  "tags": "{{rule.tags}}",
  "rule": {
    "id": "{{rule.id}}",
    "name": "{{rule.name}}",
    "params": "{{params}}",
    "space": "{{rule.spaceId}}",
    "type": "{{rule.type}}"
  },
  "kibana": {
    "alert": {
      "id": "{{alert.id}}",
      "context": "{{context}}",
      "actionGroup": "{{alert.actionGroup}}",
      "actionGroupName": "{{alert.actionGroupName}}"
    }
  },
  "event": {
    "kind": "alert"
  }
}

But then when looking for the indexed document the context value appears like this and not in separated fields (parsing the JSON):

image
image1188×53 8.53 KB

I tried changing to {{context.hits}} directly and the same happens. I also tried changing the mapping to of context to "type": "nested", and "enabled": true, but then documents doesnt' get indexed (and I don't know if there is a place where I can see which error could be the problem). Besides, I wanted to try to index a document manually, but I am not sure what data type does context receive exactly.

Can you help me with this? Thanks!

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.