The {{context.hits}} variable should give you access to the documents that matched your threshold condition, but you need to specify the exact field you want to display.
For example, if you want to display a field named "message" from your logs, you should use {{context.hits.message}} in your alert message. If the field is nested, you would use dot notation to access it, like {{context.hits.field.subfield}}.
I see you are using ES Query, which is what I ended up doing since Log Threshold wasn't working.
I looked at your alert body and it should have worked, perhaps you can try doing this:
This makes it so it can go through all the hits or documents that match your query.
Hey @weltenwort , yeah not sure why it doesn't work because I used @timestamp in the sample^ , I was recommended to use Elastic Query rule instead.
Thanks!
-APP NAME PLS:
{{#context.hits}}
{{_source.v2.private}}
{{_source.v2.private.dst_label}}
{{_source.v2.private.src_ip}}
{{/context.hits}}
As for the date, interesting I am not sure why yours doesn't work but here's the one I use: {{#FormatDate}} {{{signal.original_time}}} ; America/Los_Angeles; DD MMMM YYYY {{/FormatDate}}
You would need to move the heading before the {{#context.hits}} .
As you can see in my example, I placed Event Details before {{#context.hits}}
Hope that helps!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.