Problem with threshold alert and index connector

Elastic Stack Kibana
1

Good afternoon, I am facing a problem with kibana alerts. I am using threshold alert with index connector. I'm trying to write a json like this

{
  "message": """{{{#context.alerts}}}
host.name: {{{host.name}}}
{{/context.alerts}}"""
}

But it ends up writing this host.name: to the index.
As I understand it, this is because in the original json host.name is not written as an object, but as on the screenshot. How to make it to be recorded as event.kind? Has anyone encountered this? Is there a solution for this?
image

2

I don't understand your question. Your template is creating a string value for the message key, but you want to write a full object instead?

3

Yes, because when you address this field, it tries to fail like this

{ 
"source": {
      "ip": "8.8.8.8.8"
    }
}

And the actual format there is like this

{
 "source.ip": "8.8.8.8.8"
}
4

have you tried escaping the dot as in {{{host\.name}}} (I haven't tested this)

5

Yeah, unfortunately that didn't work

6

There's an issue on the topic, but after reading it I'm not fully sure if it was fixed on this PR, released at 8.6. Yet worth checking the comments and workarounds mentioned there.

Which version are you?

7

I'm on version 7.17.18. I've tested with latest version of elasticsearch and it works. Thank you!