Hello,
As referenced here: Action variables for a Logs threshold rule
I created a log threshold rule. I would like to do is use variables/fields from the documents/logs to appear in the email body.
Like how it was mentioned in above, you should be able to use {{context.hits}} but nothing is appearing. Any help is much appreciated,
Thanks,
Erik
Hi,
The {{context.hits}} variable should give you access to the documents that matched your threshold condition, but you need to specify the exact field you want to display.
For example, if you want to display a field named "message" from your logs, you should use {{context.hits.message}} in your alert message. If the field is nested, you would use dot notation to access it, like {{context.hits.field.subfield}}.
Regards
Hello ,
This is my sample data and I tried to use this as you mentioned .Still nothing comes in my body e-mail:
{{context.hits._source.v2.private.src_labels.app}}.
Still no value comes. It has been so many hours wasted to address this issue. Would you please help.
Best,
Narges
Hi @erikg,
I think the log threshold rule type doesn't grant access to individual documents in its alert context since it only operates on aggregate results. If I read the code correctly, though, it puts a whole bunch of ECS fields from the first document in the aggregate result into the context: kibana/packages/kbn-ecs/generated/ecs_flat.ts at cd907739f3cb4c57bb2ace7a6da538226b5334d7 · elastic/kibana · GitHub
Maybe the values you are looking for are in there?
Any update on this @erikg
Hey @NShrek ,
I see you are using ES Query, which is what I ended up doing since Log Threshold wasn't working.
I looked at your alert body and it should have worked, perhaps you can try doing this:
This makes it so it can go through all the hits or documents that match your query.
{{#context.hits}}
{{_source.host.name}}
{{/context.hits}}
This worked for me:
Hey @weltenwort , yeah not sure why it doesn't work because I used @timestamp in the sample^ , I was recommended to use Elastic Query rule instead.
Thanks!
Hello @erikg .Thanks very much. I could see all the data now. How can I go deeper in the data.
-APP NAME PLS:
{{#context.hits}}
{{_source.v2.private}}
{{/context.hits}}
Also do you know how can i modify time from zolo to UTC .
This did not work:
{{#FormatDate}} {{{date}}} ; America/New_York {{/FormatDate}}
Hey @NShrek
You can access any fields now like:
-APP NAME PLS:
{{#context.hits}}
{{_source.v2.private}}
{{_source.v2.private.dst_label}}
{{_source.v2.private.src_ip}}
{{/context.hits}}
As for the date, interesting I am not sure why yours doesn't work but here's the one I use:
{{#FormatDate}} {{{signal.original_time}}} ; America/Los_Angeles; DD MMMM YYYY {{/FormatDate}}
Hello Erik,
Thanks very much for your quick response! 
I was following this docs on Elastic and I wanted to create some kind of headings for each variable but it did not work.
Rule action variables | Kibana Guide [8.12] | Elastic
at the bottom of the page is render sample, how can i do that?
Also time format did not work.
Best,
Narges
@erikg is there any way we format the way that it shows the data in the email. Would u pls help?
Hey @NShrek , perhaps you can share your alert body, to help you but also I can share my alert body.
For the markdown this my example:
Hey , thanks! If you go to the image from 4days ago , I need to show all destination info
for example
|**Destination Application**| {{_source.v2.private.dst_label.app}}
|**Destination IP Address**| {{_source.v2.private.dst_ip}}
Is this correct?
Best,
Narges
Hey, yes that is correct!
but don't forget to include {{#context.hits}} at the beginning and
{{/context.hits}} at the end.
You are awesome! It worked and data is very clean now . I dont see the columns but it is showing in a very better format. thanks @erikg
@erikg Hey,
I got this far by your help. Could you please tell me how can I make headings and show the data under the header .
Best,
Narges
@erikg would you pls help me on this?
Hey @NShrek ,
So based on image,
You would need to move the heading before the {{#context.hits}} .
As you can see in my example, I placed Event Details before {{#context.hits}}
Hope that helps!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
