I'm playing around with Kibana alert rules in combination with an index connector. I've successfully created an alert based on a search query which indexes an event to a defined index "Elasticsearch-alerting" if a result has been found.
All good so far, but I have not found a way to include fields of the message which triggered the alert (my threshold is "if greater than zero"). The documentation has this as example:
{
"rule_id": "{{ruleId}}",
"rule_name": "{{ruleName}}",
"alert_id": "{{alertId}}",
"context_message": "{{context.message}}"
}
There are also a view other variables to use, but it seems that I can not include information of the original event? (We are using Stack version 7.16)