Kibana Alerts accessing fields

bevano · August 9, 2021, 10:10am

Hi All,

Is it possible to access specific fields within Action boxes under Alerts in Kibana.

For example, I want to alert when the field "host.status" equals down. This is easy using the Elasticsearch Query. After this query matches, I need to send an email with the various info.

I have a field called "host.url" which contains the URL of the hosts. I am struggling on how I can access and bring this field into the message text box under action.

This was previously possible with watcher so I am thinking it should be possible here.
I am running Elastic/Kibana 7.13.4, trying to migrate away from watcher.

Thanks

ying.mao · August 23, 2021, 12:39pm

Hi @bevano,

If you are using the Elasticsearch Query alert, you should be able to use mustache syntax to access document information inside your action. Documentation is available here: Elasticsearch query | Kibana Guide [master] | Elastic

The documents are available within the context.hits context variable, which is an array containing the matching documents. In order to access a field like host.status, try something like this:

{{#context.hits}}
Host URL {{_source.host.url}} matched!
{{/context.hits}}

Hope that helps!

Topic		Replies	Views
Surfacing Index Field Values in Kibana Alerts Kibana elastic-stack-alerting	2	3828	May 8, 2022
Alerting within Kibana - ES 7.7 Kibana elastic-stack-alerting	3	752	July 17, 2020
How to include specific field values in Kibana mail action Kibana elastic-stack-alerting	2	290	April 23, 2021
Elasticsearch query type alert in kibana alerts Kibana elastic-stack-alerting	6	724	June 24, 2021
Alert Message Data Kibana 8.3 Kibana elastic-stack-alerting	1	365	November 2, 2022

Kibana Alerts accessing fields

Related topics