Problem with threshold alert and index connector

bot_aro · April 17, 2024, 6:12am

Good afternoon, I am facing a problem with kibana alerts. I am using threshold alert with index connector. I'm trying to write a json like this

{
  "message": """{{{#context.alerts}}}
host.name: {{{host.name}}}
{{/context.alerts}}"""
}

But it ends up writing this host.name: to the index.
As I understand it, this is because in the original json host.name is not written as an object, but as on the screenshot. How to make it to be recorded as event.kind? Has anyone encountered this? Is there a solution for this?

jsanz · April 30, 2024, 1:17pm

I don't understand your question. Your template is creating a string value for the message key, but you want to write a full object instead?

bot_aro · May 2, 2024, 1:12pm

Yes, because when you address this field, it tries to fail like this

{ 
"source": {
      "ip": "8.8.8.8.8"
    }
}

And the actual format there is like this

{
 "source.ip": "8.8.8.8.8"
}

jsanz · May 2, 2024, 1:31pm

have you tried escaping the dot as in {{{host\.name}}} (I haven't tested this)

bot_aro · May 2, 2024, 1:41pm

Yeah, unfortunately that didn't work

jsanz · May 2, 2024, 1:49pm

There's an issue on the topic, but after reading it I'm not fully sure if it was fixed on this PR, released at 8.6. Yet worth checking the comments and workarounds mentioned there.

Which version are you?