Kibana Alerting Es query with field runtime_mappings

hanstf · June 14, 2022, 6:50am

I am trying to create an Alert rule with es query that contains runtime mappings (Elasticsearch query | Kibana Guide [7.13] | Elastic).
My rule is like below:

{
  "runtime_mappings": {
    "file_found_status": {
      "type": "keyword",
      "script": {
        "source": """
      if (doc['kubernetes.labels.app.keyword'].value == 'test') {
        if (doc['message_nonjson.keyword'].value.contains("FILE_" + doc['@timestamp'].value.toString("YYYYMMdd"))) {
          emit("file found")  
        } else {
          emit("file not found")  
        }
      }
    """
      }
    }
  },
  "fields": [
    "file_found_status"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "file_found": "file not found"
          }
        }
      ]
    }
  }
}

The query is working on the dev tools and there are some documents matched, but I test on the "Test Query" inside the "create rule" page, it always show as 0 document matched.

I am using kibana version: 7.13.4

Does Alert rule does not support runtime_mappings ?

system · July 12, 2022, 6:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.