Special character handlling in the alert message

Elastic Stack Kibana
1

Hi,

I would like to print the request made value in my alerting messaging, however, when I formed the alert message, I was getting the ASCII values in my alert message.

Extraction query response:

{
    "_shards": {
        "total": 28,
        "failed": 0,
        "successful": 28,
        "skipped": 0
    },
    "hits": {
        "hits": [
            {
                "_type": "_doc",
                "_source": {
                    "request": "/healthcheck",
                },
            }
        ],
        "total": {
            "value": 335,
            "relation": "eq"
        },
        "max_score": 7.598394
    },
    "took": 32,
    "timed_out": false
}

Message:

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Total occurrences: {{ctx.results.0.hits.hits]}}

{{#ctx.results}}
{{#hits}}
{{#hits}}
{{#_source}}
--------------------------------------
Request: {{request}}
{{/_source}}
{{/hits}}
{{/hits}}
{{/ctx.results}}

The transformed message:

Monitor Error-log-monitor just entered alert status. Please investigate the issue.
- Trigger: Trigger http 5xx error
- Severity: 5
- Period start: 2021-02-24T06:57:10Z
- Period end: 2021-02-24T06:58:10Z
- Total occurrences: 
--------------------------------------
Request: /healthcheck

I would like my message to be formed in the below manner:

The transformed message:
Monitor Error-log-monitor just entered alert status. Please investigate the issue.
- Trigger: Trigger http 5xx error
- Severity: 5
- Period start: 2021-02-24T06:57:10Z
- Period end: 2021-02-24T06:58:10Z
- Total occurrences: 
--------------------------------------
Request: /healthcheck
2

Hey @Piyush_Gandhi, welcome to the discussion boards!

Kibana's alerting supports the "triple braces" form, which allows content to be rendered unescaped. Note that this is potentially dangerous, as untrusted content can be interpreted as HTML or JavaScript depending on how it's being rendered.

From the alerting docs:

Mustache also supports "triple braces" of the form {{{variable name}}} , which indicates no escaping should be done at all. Care should be used when using this form, as it could end up rendering the variable content in such a way as to make the resulting parameter invalid or formatted incorrectly.

Can you try changing {{request}} to {{{request}}} in your message, and let me know if that works for you?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.