Hi,
I am using the ELK 7.8.0 and making an inventory alert. I have created an action message as shown below.
But I am not getting values for context.thresholdOf, context.metricOf and context.valueOf. I have also tried context.reason as well but not worked. When I checked the alert index I found the following.
I want to get the current values for CPU and RAM utilization. Please help, if I am making any mistake or anything else.
Hi @mohanr
FIrst what kind of alert did you create? Did you create it from the Metrics App it should be of type Metric Threshold.
Here is my config on 7.8.1
Here is my action message complete with a little cool URL to open detailed metrics on host that created the alert (BTW, in future please paste the txt version of your config / results much easier for others to help with)
{
"message": "On host : {{context.group}} {{context.metricOf.condition0}} has crossed a threshold of {{context.thresholdOf.condition0}}, Current value is {{context.valueOf.condition0}}",
"alertId": "{{alertId}}",
"alertName": "{{alertName}}",
"notifygroup": "{{tags}}",
"target": "{{context.group}}",
"metric": "{{context.metricOf.condition0}}",
"current_value": "{{context.valueOf.condition0}}",
"threshold": "{{context.thresholdOf.condition0}}",
"severity": "Warning",
"eventsource": "elasticsearch",
"url" : http://localhost:5601/app/metrics/detail/host/{{context.group}}?metricTime=(autoReload:!f,refreshInterval:5000,time:(from:now-1h,to:now))"
}
You will notice the condition0 on the end that is because the alert creates and object since these alerts are created per host. They documentation does not really explain that, apologies... but if / when you do a new action you will see the condition0 but it does not show in the context menu
{{alertName}} - {{context.group}}
{{context.metricOf.condition0}} has crossed a threshold of {{context.thresholdOf.condition0}}
Current value is {{context.valueOf.condition0}}
And my results
{
"message": "On host : ceres-2.local cpu has crossed a threshold of 5, Current value is 10.5%",
"alertId": "dec67da3-6d9b-4c56-997b-13bc925aef79",
"alertName": "test-cpu-alert",
"notifygroup": "",
"target": "ceres-2.local",
"metric": "cpu",
"current_value": "10.5%",
"threshold": "5",
"severity": "Warning",
"eventsource": "elasticsearch",
"url" : http://localhost:5601/app/metrics/detail/host/ceres-2.local?metricTime=(autoReload:!f,refreshInterval:5000,time:(from:now-1h,to:now))"
}
Hope that helps, plus you got and extra URL goodie 
Finally if you could I would get to 7.9.2 there was a lot of additional Alerting capability released especially in the metrics area, where you can test your alert, see the current values vs threshold, automatically get alerted if the metrics stop, but be carefull some of the meta data / context names have changed a little
Here is my alerts for 7.9.2 some slight differences
{
"message": "On host {{context.group}}, {{context.reason}}",
"alertId": "{{alertId}}",
"alertName": "{{alertName}}",
"notifygroup": "{{tags}}",
"target": "{{context.group}}",
"metric": "{{context.metric.condition0}}",
"current_value": "{{context.value.condition0}}",
"threshold": "{{context.threshold.condition0}}",
"severity": "Warning",
"eventsource": "elasticsearch",
"url" : http://localhost:5601/app/metrics/detail/host/{{context.group}}?metricTime=(autoReload:!f,refreshInterval:5000,time:(from:now-1h,to:now))"
}@stephenb Thanks for your reply. It really helps me and works perfectly. I am using the EKL 7.8.0 and facing another issue. I have a centralized log system having multiple application instances. Multiple Docker containers are running on a particular instance.
I am creating an alert for container resource utilization like CPU, RAM, etc.
It gives me information about the container like name, threshold value, and current value but not able to get the information about the instance (server).
I want to get alert information like which container has how much resource utilization for a particular instance. I have a custom field instance in the Metricbeat index.
Is there a way to use this custom field or anything else?
Looks like some of the features I was looking at in 7.9.2 are also in 7.8.1
Perhaps, You could try this.
Go To Alert and Actions and create a Metric Threshold alert this is the more General version of the Inventory Alert.
Then you could try Create Alert Per and put your Instance field in that. It will need to be a Keyword Type
That should generate alerts by Instance and then that instance should be part of the alert context.
I have 2 'per' fields in alert for file systems usage in multi-host environment (I use v7.9.1) , so I must create alerts per host (host.name) and per file system (system.filesystem.mount_point)
How I can get a separated value for each one of them?
In Kibana log I have them concatenated (in the example below, 'AlertGroup' field contains both host name and file system name with a comma in between). Of course I can split, but it still would be nice to have each field separately without any extra manipulations).
e.g. /usr file system is alerted like this:
AlertName:Disk Space Alert;AlertGroup:my-host1-name, /usr;AlertTimestamp:2020-10-03T15:29:00.000Z;
Interesting I tested this myself as well, the context group is presented as you see it... it does not look like separate fields are supported, seems like a good idea perhaps you can submit an Feature Request here
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
