Kibana, Alerts and Actions, does not allow adding hostname in the message

kattyleja · September 24, 2020, 6:15pm

I am using Kibana 7.9.1, to generate alerts, I need to add to the message that is sent in this case to the logs, the hostname and message. but it has not been possible to show it.

kibana alert 1

kibana alert 2

I get the empty space, with ctx.payload.hits.hits.0._source.host and ctx.payload.hits.hits.0._source.beat.hostname.

{"type":"log","@timestamp":"2020-09-24T18:18:56Z","tags":["info","plugins","actions","actions"],"pid":6,"message":"Server log: 3htpAlerts,kibanaAlerts,Prueba,typeLog, logThreshold, , Descripción: Se han generado 1 repeticiones de la etiqueta "info" en 2 minutos. ;"}

rashmi · September 24, 2020, 9:11pm

@Patrick_Mueller can you shed some more light on this please?

Zacqary · September 24, 2020, 9:15pm

Alerts don't support a {{ctx.payload...}} variable, unfortunately. You can see a list of the variables you can include in an alert message by clicking the Add alert variable button:

Can I suggest you try setting a value in the GROUP BY field?

and then using the {{context.group}} variable in place of {{ctx.payload...}}? Does that produce the result you're looking for?

kattyleja · September 25, 2020, 12:15am

Partly yes it works when I add only host.keyword, but if I add both host.keyword and message.keyword the alert doesn't work anymore. Well I need to show the host and the message in the alert message. Is there any way I can do it? And thank you for your prompt reply.

admlko · September 25, 2020, 8:15am

I am also looking for a solution to this. I don't need to group by anything, but I'd like to add fields from the triggering logs to the alert.
It seems that if I add both fields I need (source.ip, destination.ip) to the group by parameter, the alert doesn't trigger anymore for some reason.

kattyleja · September 25, 2020, 2:06pm

I found a way to display the message and the host. Adding both fields to group by but in the message I add two variables, {{alertInstanceId}} and {{context.group}}. Both variables bring the information of the message and the host, the problem is that the duplicate information is then generated, and if you delete one the alert fails and is not executed.

This is my message:
-Descripción: Se han generado {{context.matchingDocuments}} repeticiones de la etiqueta "info" en 2 minutos -Origen y Mensaje: {{alertInstanceId}} -tags: {{tags}} .

{{context.group}}

This is the log output:
{"type":"log","@timestamp":"2020-09-25T13:49:16Z",
"tags":["info","plugins","actions","actions"],"pid":6,

"message":"Server log:

-Descripción: Se han generado 1 repeticiones de la etiqueta "info" en 2 minutos

-Origen y Mensaje: www.elastic.co, 147.107.162.98 - - [2018-08-03T13:48:30.489Z] "GET /app-search HTTP/1.1" 200 212 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24"

-tags: 3htpAlerts,kibanaAlerts,Prueba,typeLog, logThreshold . ;;

www.elastic.co, 147.107.162.98 - - [2018-08-03T13:48:30.489Z] "GET /app-search HTTP/1.1" 200 212 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24""}

system · October 23, 2020, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.