Parse context_hits

Pablo_Sagrera_Garcia · December 15, 2022, 11:46am

I've create a rule whose connector is write to index. I wonder if possible to parse context_hits to create an additional field when hit the rule.

Screenshot 2022-12-15 at 12.43.15

For example I would like to create an additional field called message only containing subfield messages from dictionary {{context_hits }}

Thanks

Pablo_Sagrera_Garcia · December 16, 2022, 12:13pm

I spotted how to achieve that.

putting in the document to index the following field:

"host": "{{context.hits.0._source.host_name}}"

system · January 13, 2023, 12:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use {{#context.hits}} alert with an INDEX action? Kibana elastic-stack-alerting	1	686	November 16, 2023
Kibana Alerts accessing fields Kibana elastic-stack-alerting	2	2236	September 20, 2021
Is context.hits supported on 8.1 Kibana	1	226	June 22, 2023
Possible to have {{context.hits}} return as an array? Kibana	2	739	August 19, 2021
Using the context. in Body of E-mail for rules and connection Kibana detection-rules	1	217	February 21, 2024