Hi,
I'm setting up Kibana alerts in using a number of connectors (e.g. Email and MS Teams) and alerting on matches against an Elasticsearch query.
Alerts are working fine....However, what I cannot figure out is how to surface field values from the index I'm querying and alerting on.
For example, the default message in the Email Connector is:
Elasticsearch query alert '{{alertName}}' is active:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}
- Timestamp: {{context.date}}
The index I'm performing the query against contains firewall event logs, which in the JSON view are like so:
"_source": {
"log": {
"syslog": {
"priority": 0,
"severity": {
"name": "Emergency",
"code": 0
},
"facility": {
"name": "kernel",
"code": 0
}
}
},
"action": "block",
"app": "Proxy.HTTP"
So, what I'd like to pull from the log shown in the snippet above and display in the email message is one or more of those key values, for example the app value being Proxy.HTTP. The idea being my message would contain:
Elasticsearch query alert '{{alertName}}' is active:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}
- Timestamp: {{context.date}}
- App: Proxy.HTTP
Online docs at Elasticsearch query | Kibana Guide [8.1] | Elastic suggests that I can use {{_source.<field>}} to pull values from the queried index, so in my case {{_source.app}}.
However, this doesn't work and the message is returning a blank value, as shown in the screenshot below:
Does someone know how to do this?
Thanks,
Matt