Log Threshold - Alert Body

erikg · January 12, 2024, 4:15pm

Hello,

As referenced here: Action variables for a Logs threshold rule

I created a log threshold rule. I would like to do is use variables/fields from the documents/logs to appear in the email body.

Like how it was mentioned in above, you should be able to use {{context.hits}} but nothing is appearing. Any help is much appreciated,

Thanks,
Erik

yago82 · January 12, 2024, 4:36pm

Hi,

The {{context.hits}} variable should give you access to the documents that matched your threshold condition, but you need to specify the exact field you want to display.

For example, if you want to display a field named "message" from your logs, you should use {{context.hits.message}} in your alert message. If the field is nested, you would use dot notation to access it, like {{context.hits.field.subfield}}.

Regards

erikg · January 12, 2024, 4:58pm

Hey @yago82 ,

Look, I tried it and the fields don't appear (unless I am doing it wrong):

NShrek · January 24, 2024, 3:01pm

Hello ,
This is my sample data and I tried to use this as you mentioned .Still nothing comes in my body e-mail:

{{context.hits._source.v2.private.src_labels.app}}.

Still no value comes. It has been so many hours wasted to address this issue. Would you please help.
Best,
Narges

NShrek · January 24, 2024, 3:12pm

You can find the response of e-mail notification here: No value

weltenwort · January 24, 2024, 7:30pm

Hi @erikg,

I think the log threshold rule type doesn't grant access to individual documents in its alert context since it only operates on aggregate results. If I read the code correctly, though, it puts a whole bunch of ECS fields from the first document in the aggregate result into the context: kibana/packages/kbn-ecs/generated/ecs_flat.ts at cd907739f3cb4c57bb2ace7a6da538226b5334d7 · elastic/kibana · GitHub

Maybe the values you are looking for are in there?

NShrek · January 25, 2024, 5:42pm

Any update on this @erikg

erikg · January 25, 2024, 7:48pm

Hey @NShrek ,

I see you are using ES Query, which is what I ended up doing since Log Threshold wasn't working.
I looked at your alert body and it should have worked, perhaps you can try doing this:

This makes it so it can go through all the hits or documents that match your query.

{{#context.hits}}
{{_source.host.name}}
{{/context.hits}}

This worked for me:

erikg · January 25, 2024, 7:53pm

Hey @weltenwort , yeah not sure why it doesn't work because I used @timestamp in the sample^ , I was recommended to use Elastic Query rule instead.
Thanks!

NShrek · January 29, 2024, 2:56pm

Hello @erikg .Thanks very much. I could see all the data now. How can I go deeper in the data.

-APP NAME PLS: 
{{#context.hits}} 
{{_source.v2.private}}
{{/context.hits}}

Also do you know how can i modify time from zolo to UTC .
This did not work:

{{#FormatDate}} {{{date}}} ; America/New_York {{/FormatDate}}

erikg · January 30, 2024, 2:55pm

Hey @NShrek

You can access any fields now like:

-APP NAME PLS: 
{{#context.hits}} 
{{_source.v2.private}}
{{_source.v2.private.dst_label}}
{{_source.v2.private.src_ip}}
{{/context.hits}}

As for the date, interesting I am not sure why yours doesn't work but here's the one I use:
{{#FormatDate}} {{{signal.original_time}}} ; America/Los_Angeles; DD MMMM YYYY {{/FormatDate}}

NShrek · January 30, 2024, 3:59pm

Hello Erik,
Thanks very much for your quick response!

I was following this docs on Elastic and I wanted to create some kind of headings for each variable but it did not work.

Rule action variables | Kibana Guide [8.12] | Elastic

at the bottom of the page is render sample, how can i do that?
Also time format did not work.

Best,
Narges

NShrek · February 2, 2024, 3:28pm

@erikg is there any way we format the way that it shows the data in the email. Would u pls help?

erikg · February 2, 2024, 5:19pm

Hey @NShrek , perhaps you can share your alert body, to help you but also I can share my alert body.

For the markdown this my example:

NShrek · February 2, 2024, 5:38pm

Hey , thanks! If you go to the image from 4days ago , I need to show all destination info

for example

|**Destination Application**| {{_source.v2.private.dst_label.app}}
|**Destination IP Address**| {{_source.v2.private.dst_ip}}

Is this correct?

Best,
Narges

erikg · February 2, 2024, 5:48pm

Hey, yes that is correct!
but don't forget to include {{#context.hits}} at the beginning and
{{/context.hits}} at the end.

NShrek · February 2, 2024, 10:24pm

You are awesome! It worked and data is very clean now . I dont see the columns but it is showing in a very better format. thanks @erikg

NShrek · February 5, 2024, 2:03pm

@erikg Hey,

I got this far by your help. Could you please tell me how can I make headings and show the data under the header .

Best,
Narges

NShrek · February 6, 2024, 2:39pm

@erikg would you pls help me on this?

erikg · February 6, 2024, 3:13pm

Hey @NShrek ,

So based on image,

You would need to move the heading before the {{#context.hits}} .
As you can see in my example, I placed Event Details before {{#context.hits}}

Hope that helps!