Kibana Alerts: How to iterate over array in the context.hits structure

ilchub · January 5, 2023, 2:10pm

Hi everybody,

I'm running Elastic Stack 8.5 and I have configured Kibana Alerts to send message into Slack, when certain DSL query is matched. To include some fields of matched documents I've used the following Mustache template:

- Amount of responses got per {{params.timeWindowSize}}{{params.timeWindowUnit}}: {{context.value}}
- Timestamp: {{context.date}}

Request: {{context.hits.0._source.ingress_controller_logs.request}}
User Agent: {{context.hits.0._source.ingress_controller_logs.user_agent}}
Response: {{context.hits.0._source.ingress_controller_logs.status}}
Response Time: {{context.hits.0._source.ingress_controller_logs.request_time}}

The problem happens when there's multiple documents matched by the query. Only the data from first matched document occurs in the message. This is fully logical, because all further hits should be referenced with a proper array index value, like so:

Request: {{context.hits.1._source.ingress_controller_logs.request}}

and so on.

My question is the following: is there any way to use some sort of iterator where the array index should be, so it would iterate over index dynamically and return all values from all array elements. For example:

Request: {{context.hits.@._source.ingress_controller_logs.request}}

So, if the three documents would match by the query, it would look like it had this formatting:

Request: {{context.hits.0._source.ingress_controller_logs.request}}
User Agent: {{context.hits.0._source.ingress_controller_logs.user_agent}}
Response: {{context.hits.0._source.ingress_controller_logs.status}}
Response Time: {{context.hits.0._source.ingress_controller_logs.request_time}}

Request: {{context.hits.1._source.ingress_controller_logs.request}}
User Agent: {{context.hits.1._source.ingress_controller_logs.user_agent}}
Response: {{context.hits.1._source.ingress_controller_logs.status}}
Response Time: {{context.hits.1._source.ingress_controller_logs.request_time}}

Request: {{context.hits.2._source.ingress_controller_logs.request}}
User Agent: {{context.hits.2._source.ingress_controller_logs.user_agent}}
Response: {{context.hits.2._source.ingress_controller_logs.status}}
Response Time: {{context.hits.2._source.ingress_controller_logs.request_time}}

Any advice is much appreciated.
Thanks in advance.

Patrick_Mueller · January 5, 2023, 2:17pm

Documentation for mustache templating is here: GitHub - janl/mustache.js: Minimal templating with {{mustaches}} in JavaScript

You can do what you want with a section. I believe it would be like this:

{{#context.hits}}
Request: {{_source.ingress_controller_logs.request}}
User Agent: {{_source.ingress_controller_logs.user_agent}}
Response: {{_source.ingress_controller_logs.status}}
Response Time: {{_source.ingress_controller_logs.request_time}}
{{/context.hits}}

ilchub · January 5, 2023, 3:13pm

Thanks for the proposed solution. Seems to work like a charm

Patrick_Mueller · January 5, 2023, 3:51pm

heh, I realized that I think we can make this even smaller, but perhaps the original one is a little easier to understand:

{{#context.hits}}{{#_source.ingress_controller_logs}}
Request: {{request}}
User Agent: {{user_agent}}
Response: {{status}}
Response Time: {{request_time}}
{{/_source.ingress_controller_logs}}{{/context.hits}}

system · February 2, 2023, 3:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.