Kibana alerting message with query results

Elastic Stack Kibana
#1

I have a Kibana monitor setup with a trigger and actions. In the actions email message I can email the alert query results for 1 document with these ctx parameters:

- Hostname: {{ctx.results.0.hits.hits.0._source.host.name}}
- Log file: {{ctx.results.0.hits.hits.0._source.log.file.path}}
- Log message: 
{{ctx.results.0.hits.hits.0._source.message}}

If there are multiple documents returned from the trigger query results is there a way to include all documents results in the email message?

TIA!

#2

Anyone have any information regarding this post?

#3

Hi,

you can use the a chained input and just issue two different queries? Would that help already?

Thanks
Rashmi

#4

@rashmi Thanks for the recommendation. Unfortunately we are using the open source Kibana which only has the Alerting module not Watcher.

#5

@pmuellr can u plz share ur thoughts on this ?

Thanks
Rashmi

#6

Hi @earlsanchez

There is perhaps an entirely different way to look at this. I'm not clear if you actually want to email all the logs (imagine there are hundreds) or you just want the alert to be able to show the user all the logs that made up the alert?

What you can do is create a URL in the action that would point to the Discover app in Kibana (or other customer dashboard) with the same query / filters parameters and time that made the alert fire and then you would be able to see the docs that caused the alert to fire.

What if there we're hundreds of documents would you really want to email all those?

Just a thought something I've done for several customers.

#7

Thank you @stephenb, I am doing that now with the search criteria URL. I think this along with one event message as I described above is the best solution. You are correct, I probably don't really want hundreds of events being emailed. Thx.

#8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.