I am trying to add an extra fields using script_fields or runtime_mappings to Kibana alerts. But Kibana replaces the property fields with some timestamp.
Is there a solution or workaround?
Edit #1 to add code
Query
/myindex*/_search?pretty
{
"query": {
"match_all": {}
},
"fields": [
"test_field"
],
"script_fields": {
"test_field": {
"script": {
"lang": "painless",
"source": "params.test_pram",
"params": {
"test_pram": 1
}
}
}
},
"_source": true
}
Response from Elasticsearch
{
"took": 8,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": 1,
"hits": [
{
"_index": "myindex1",
"_type": "_doc",
"_id": "1",
"_score": 1,
"_source": {
"color": "red"
},
"fields": {
"test_field": [
1
]
}
},...
Response from Kibana
{
"took": 8,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": 1,
"hits": [
{
"_index": "myindex1",
"_type": "_doc",
"_id": "1",
"_score": 1,
"_source": {
"color": "red"
},
"fields": {
"@timestamp": [
"2022-11-02T14:00:11.754Z"
]
},
"sort": [
1667397611754
]
}
},...
Edit #2 to add code
Kibana create alert request
/s/myspace/api/alerting/rule/:id
{
"consumer": "alerts",
"name": "my_alert",
"schedule": {
"interval": "1m"
},
"params": {
"esQuery": "{\n\"query\":{\n\"match_all\":{}\n},\n\n\"fields\":[\n\"test_field\"\n],\n\"script_fields\":{\n\"test_field\":{\n\"script\":{\n\"lang\":\"painless\",\n\"source\":\"params.test_pram\",\n\"params\":{\n\"test_pram\":1\n}\n}\n}\n},\n\"_source\":true\n}",
"index": [
"myindex*"
],
"timeField": "@timestamp",
"timeWindowSize": 30,
"timeWindowUnit": "m",
"thresholdComparator": ">",
"threshold": [
0
],
"size": 10
},
"rule_type_id": ".es-query",
"notify_when": "onActionGroupChange",
"actions": [
{
"group": "query matched",
"id": "mailConnector",
"params": {
"subject": "My Alert",
"to": [
"email@example.com"
],
"message": "{{context}}"
}
}
]
}