Log Threshold - Alert Body

Elastic Observability Logs
21

@erikg I did the same . But my details are coming as the row .

pls see below.
If i move all my headings such as Destination IP address and Destination APP, all data messed up.

|||
|--------------| ------------|
| **Blocked Traffic Information** | - |
{{#context.hits}}
|-**Destination IP Address**| {{_source.v2.private.dst_ip}}
|**Destination Application Name**|{{_source.v2.private.dst_labels.app}}
|**Destination Port**| {{_source.v2.private.dst_port}}
|**Destination Protocol**| {{_source.v2.private.proto}}
{{/context.hits}}
22

Ah, I think actually you need to include your heading AFTER {{#context.hits}}
{{#context.hits}}
Blocked Traffic Information -
-Destination IP Address {{_source.v2.private.dst_ip}}
Destination Application Name {{_source.v2.private.dst_labels.app}}
Destination Port {{_source.v2.private.dst_port}}
Destination Protocol {{_source.v2.private.proto}}
{{/context.hits}}

I think this what you were trying to do^?

23

@erikg Hey,

I need the presentation be vertical .

image
image1055×331 23.9 KB

I want to show data in simple table format with column as like as screenshot.

If you see the screenshot from 1 day ago , everything in email is coming as row.

Best,
Narges

24

I m sending the observed data in the e-mail @erikg .
Every box has the data for on query that matched.
Could you pls also advise why some are coming as blue? It is the new issue!

image
image417×792 66.7 KB

25
Blocked Traffic Information
Destination IP Address Destination Application Name Destination Port Destination Protocol
{{#context.hits}}
{{_source.v2.private.dst_ip}} {{_source.v2.private.dst_labels.app}} {{_source.v2.private.dst_port}} {{_source.v2.private.proto}}
{{/context.hits}}

Like this?
As for the blue, I have not seen that before.

26

@erikg , Ys like that. And when i added everything just dumped in the email with one simple heading . :expressionless:

27

Here's how I did that:

||||||
|-| -|-|-|-|
| **Blocked Traffic Information** | 
|**Destination IP Address**|**Destination Application Name**| **Destination Port**|**Destination Protocol**|
{{#context.hits}}
{{_source.v2.private.dst_ip}} | {{_source.v2.private.dst_labels.app}} | {{_source.v2.private.dst_port}} | {{_source.v2.private.proto}} |
{{/context.hits}}

If this is same markdown you used then it might be a limitation.

Thanks,

28

@erikg WOW! You fixed it. It is so clean and nice. Thanks so much! :star_struck: :star_struck:

29

@erikg can you please explain the logic so I can learn?

30

Hey, sorry I barely understand the logic but I learned you can two methods to do markdown:

Method 1:

Syntax Description
Header Title
Paragraph Text 
| Syntax | Description |
| - | - |
| Header | Title |
| Paragraph | Text |

OR

Method 2:
Syntax Description
Header Title
Paragraph Text 
|||
| - | - |
| Syntax | Description |
| Header | Title |
| Paragraph | Text |

For both methods, your pipes | are your columns. You can specify how many you want.
Glad you were able to do it!

31

Thanks @erikg :pray:

1 Like
32

@erikg , Hello

I could deploy the solution and it works as expected. The only thing that I see there is one extra bullet created in the e-mail notification which I dont know why is that. The person who implemented the body content of e-mail in PROD is using MAC computer and Chrome and just copying from my content . I use windows surface machine.

Do you think this is why we get extra bullet?

that individual is copying my template from pre prod and we see extra bullet which I don't have it in preprod with same body content.

image
image1431×245 7.93 KB

33

Hey @NShrek , I actually haven't seen that before. Perhaps share your body content?

34

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.