The content of the field is not shown in alert

I defined an Alert Rule with Connector email. I would like to have in the received email the particular message, for which we defined the condition. The field which I would like to see is message. I tried different ways/formats in the email message body to see the content of the message field, however it doesn't work. I tried the following formats:


Could you please help me to find out which format I should use to see the particular error message in the email? In all above cases the string was shown, not the content.

Thanks a lot.

Elastic version: 7.16.1

Hey @csaba.g ,
Welcome to the community.

The ability to include this data depends on the specific rule - could you clarify which rule type you're using?

If you're using the ES Query rule type then you should be able to use the context.hits variable as described in the docs.

Thanks for the fast feedback.
We do use the Log threshold - maybe not he best choice, but is there a way to include this data in this rule type?
We can also try the ES Query.

Thanks a lot

Hey @gmmorris,

I tried the ES Query and I have seen the required error message, so it works.
However, there was the whole content of the indices, so I tried to get a specific element, like
but then no content was in email. Did I try it correctly? This element is not nested.

Thanks a lot

Hi @csaba.g ,
Although context.hits.message is available in the index, it is not as a variable to include in the alert message sent by email. The full list of context variables available for Log Threshold rule connectors is:

  • context.conditions
  • context.denominatorConditions
  • context.isRatio
  • context.matchingDocuments
  • context.numeratorConditions
  • context.ratio
  • context.reason
  • context.timestamp
  • context.viewInAppUrl

See Log Threshold Rule documentation for more information.

Hope this helps.

Thanks for jumping in @emmma :slight_smile: :wave:

Regarding ES Query @csaba.g , I think the syntax you need is:


This is because context.hits is an array of docs, as described in the documentation.
Let me know if this doesn't solve it for you. :smile:

Thanks @emmma @gmmorris
I tried your syntax, however I still cannot see the particular message. There was a blank space in the e-mail. Do you have another idea, what can be wrong? Thanks

Are you sure the meta_json field is on the doc root itself?

One way to debug this is to dump the entire hits array into the email.
This is done by including the following:


This will iterate through each doc in the context.hits variable and dump the doc as is.
That way you can see exactly what fields are available and what their values are.

Many thanks, that helped. Now I found out the structure. This is the way how it works:


If I may use this round for another question:
We would like to also use the Jira connector. However there we can defne only the issue type, summary and additional comments. Is there a way to define another values, for example component? Thanks

I’m assuming you mean the component field under project?
I’m afraid this isn’t currently possible - the Jira connector is limited to those field specified in the UX.

Feel free to file a feature request in the Kibana repo and we’ll look into adding it into the Connector’s roadmap.

@gmmorris many thanks. Yes I meant the component under Jira project. Alright I will request this feature.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.