Kibana Alerts accessing fields

bevano · August 9, 2021, 10:10am

Hi All,

Is it possible to access specific fields within Action boxes under Alerts in Kibana.

For example, I want to alert when the field "host.status" equals down. This is easy using the Elasticsearch Query. After this query matches, I need to send an email with the various info.

I have a field called "host.url" which contains the URL of the hosts. I am struggling on how I can access and bring this field into the message text box under action.

This was previously possible with watcher so I am thinking it should be possible here.
I am running Elastic/Kibana 7.13.4, trying to migrate away from watcher.

Thanks

ying.mao · August 23, 2021, 12:39pm

Hi @bevano,

If you are using the Elasticsearch Query alert, you should be able to use mustache syntax to access document information inside your action. Documentation is available here: Elasticsearch query | Kibana Guide [master] | Elastic

The documents are available within the context.hits context variable, which is an array containing the matching documents. In order to access a field like host.status, try something like this:

{{#context.hits}}
Host URL {{_source.host.url}} matched!
{{/context.hits}}

Hope that helps!

system · September 20, 2021, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Escape dot in mustache to access elastic query _source field in alerts Kibana elastic-stack-alerting	8	1137	January 26, 2023
Surfacing Index Field Values in Kibana Alerts Kibana elastic-stack-alerting	2	3182	May 8, 2022
Add status field for kibana alerts in elastic index Kibana elastic-stack-alerting	0	10	September 26, 2024
Alerts and actions Links not accessible Kibana	6	2408	June 29, 2020
Kibana Alert Index Threshold and Log Threshold Host.ip Fields Kibana elastic-stack-alerting	5	327	April 13, 2023

Kibana Alerts accessing fields

Related Topics