New to ES and having an issue with adding details in the body of a webhook. I am wanting to add the field information (ex: city) so that it will be included in the alert details. I have tried adding "City": "{{_source.city}}" but returned no details when the alert was generated.
I have attempted this in both a Elastic Query and a Metric-based alerts.
Thanks in advance for the help!
Can you provide your complete mustache template? I'm wondering if you forgot a mustache section for {{#context.hits}}, like this:
{{#context.hits}}
city: {{_source.city}}
{{/context.hits}}
More info here: Elasticsearch query | Kibana Guide [8.5] | Elastic
Also, if you want to see all the context variables available, to see what's available, as a nested JSON string, use the following in your template: {{.}}
This is what I'm currently using:
{
"elasticsearch_query_alert": "{{alertName}}",
"value": "{{context.value}}",
"conditions_met": "{{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}",
"timestamp": "{{context.date}}",
"environment": "Minotaur",
"status": "[Alerting]",
"provider_city": "{{alert.actionGroupName}}",
"Provider-City": "{{#context.hits}}{{_source.Provider-City}}{{/context.hits}}"
}
I was a little worried about the - in Provider-City, but a test at https://codepen.io/adrianroworth/pen/RgxmYM (generic online mustache tester) shows that this should work.
Could you try the following:
-
create a server log action and use the same mustache template for the message body - it will come out a bit scrambled (we convert n/l to semicolon, kinda thing), but should show what the expansion is.
-
change that server log action to just be
{{.}}so we can see a list of all the variables available.
One last thing, was this for a recovered action, or active alert? Recovered actions typically do not have as many mustache variables available, and I don't believe any rules populate context.hits in recovery actions.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.