Transform email body response to a more readable form

Alexandros888 · April 14, 2020, 10:38am

Hello,

I have created the following watcher alert:

    {
      "trigger": {
        "schedule": {
          "hourly": {
            "minute": [
              1,
              3,
              11,
              16,
              23,
              31,
              41,
              51
            ]
          }
        }
      },
      "input": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "simulation-connect"
            ],
            "rest_total_hits_as_int": true,
            "body": {
              "query": {
                "bool": {
                  "must": [
                    {
                      "match_phrase": {
                        "customerNr_onBehalf": {
                          "query": "1234"
                        }
                      }
                    },
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-50m"
                        }
                      }
                    }
                  ],
                  "filter": [
                    {
                      "bool": {
                        "should": [
                          {
                            "bool": {
                              "should": [
                                {
                                  "match": {
                                    "resultAddArticleToBasket": true
                                  }
                                }
                              ],
                              "minimum_should_match": 1
                            }
                          },
                          {
                            "bool": {
                              "should": [
                                {
                                  "bool": {
                                    "should": [
                                      {
                                        "match": {
                                          "resultArticleSearch": true
                                        }
                                      }
                                    ],
                                    "minimum_should_match": 1
                                  }
                                },
                                {
                                  "bool": {
                                    "should": [
                                      {
                                        "bool": {
                                          "should": [
                                            {
                                              "match": {
                                                "resultFullTextSearch": true
                                              }
                                            }
                                          ],
                                          "minimum_should_match": 1
                                        }
                                      },
                                      {
                                        "bool": {
                                          "should": [
                                            {
                                              "bool": {
                                                "should": [
                                                  {
                                                    "match": {
                                                      "resultLogout": true
                                                    }
                                                  }
                                                ],
                                                "minimum_should_match": 1
                                              }
                                            },
                                            {
                                              "bool": {
                                                "should": [
                                                  {
                                                    "bool": {
                                                      "should": [
                                                        {
                                                          "match": {
                                                            "resultLogin": true
                                                          }
                                                        }
                                                      ],
                                                      "minimum_should_match": 1
                                                    }
                                                  },
                                                  {
                                                    "bool": {
                                                      "should": [
                                                        {
                                                          "match": {
                                                            "resultVehicleSearch": true
                                                          }
                                                        }
                                                      ],
                                                      "minimum_should_match": 1
                                                    }
                                                  }
                                                ],
                                                "minimum_should_match": 1
                                              }
                                            }
                                          ],
                                          "minimum_should_match": 1
                                        }
                                      }
                                    ],
                                    "minimum_should_match": 1
                                  }
                                }
                              ],
                              "minimum_should_match": 1
                            }
                          }
                        ],
                        "minimum_should_match": 1
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      },
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gte": "1"
          }
        }
      },
      "actions": {
        "send_email": {
          "email": {
            "profile": "standard",
            "to": [
              "alexandros.ananikidis@sag-ag.ch"
            ],
            "subject": "[CH PROD] Connect CH Customer Simulation Failed",
            "body": {
              "text": "Elastic results are the following: {{#ctx.payload.hits.hits}}{{_source}}{{/ctx.payload.hits.hits}}"
            }
          }
        }
      }
    }

And the output is correctly like that:

Nevertheless, because as anyone can imagine it is extremely inconvenient to read how can i change the code in my alert so i can have at the end an email notification that will show the info in a more easy and clear way to read?

For example like that:

The results are the following:

resultLogin=true,
@timestamp=1586857855,
resultVehicleSearch=true,
resultArticleSearch=true,
resultFullTextSearch=true,
sessionID=455108a4054a4c2a93fa23cba4bc85c4,
customerNr_onBehalf=1234,
resultAddArticleToBasket=true,
resultLogout=true

resultLogin=true
@timestamp=1586858457,
resultVehicleSearch=true,
resultArticleSearch=true,
resultFullTextSearch=true,
sessionID=63c8aebbd39842398afa7b7399025526,
customerNr_onBehalf=1234,
resultAddArticleToBasket=true,
resultLogout=true

Hit 3....and so on

Luca_Belluccini · April 14, 2020, 11:26pm

Hello @Alexandros888

Watcher can send emails in plaintext or HTML.
You can use the Mustache language to format your email.

In plaintext, you can use this snippet in your action.
Please consider this is not valid JSON, the triple quotes """ can be interpreted by Kibana Dev Tools and will be converted to valid JSON:

"subject": "[CH PROD] Connect CH Customer Simulation Failed",
  "body": {
    "text": """Elastic results are the following:

{{#ctx.payload.hits.hits}}
resultlogin={{_source.resultLogin}}
resultVehicleSearch={{_source.resultVehicleSearch}}
resultArticleSearch={{_source.resultArticleSearch}}
@timestamp={{_source['@timestamp']}}
{{/ctx.payload.hits.hits}}"""
  }

In html:

"subject": "[CH PROD] Connect CH Customer Simulation Failed",
  "body": {
    "html": """<h1>Elastic results are the following</h1>
<table style="width:100%">
  <tr>
    <th>resultLogin</th>
    <th>resultVehicleSearch</th>
    <th>resultArticleSearch</th>
    <th>@timestamp</th>
  </tr>
{{#ctx.payload.hits.hits}}
<tr>
    <td>{{_source.resultLogin}}</td>
    <td>{{_source.resultVehicleSearch}}</td>
    <td>{{_source.resultArticleSearch}}</td>
    <td>{{_source['@timestamp']}}</td>
</tr>
{{/ctx.payload.hits.hits}}
</table>"""
  }

Alexandros888 · April 15, 2020, 9:11am

Luca you are AWESOME thank you very much for your solution!!!!.Much appreciated.
Just a final question if you have time, can you also tell me how to add borders and color in my table?

Thank you very much

Luca_Belluccini · April 15, 2020, 9:36am

Yes, it is possible to use HTML attributes or CSS styles.

See Watcher “watcher.actions.email.html.sanitization” table attributes
E.g.

<table border='1' style='font-family:sans-serif;font-size:13px'>

Just pay attention to the HTML sanitization.
Elasticsearch will filter some HTML tags or elements.
If you see some elements are not present in the final email, it means you have to allow the element in sanitization using those settings.

Alexandros888 · April 16, 2020, 2:07pm

Hello Luca thanks for all the valuable info really appreciated great help provided.
If you have some time check whenever you can also that link where i have a question similar to that.
The issue there is how to create an html like the one that you created here but in second or even third level aggregation.

Relative link: Make the email body of my alert easier to read

In any case thanks again for that one

Luca_Belluccini · April 16, 2020, 10:22pm

I've answered to the linked question.
Please mark this question as solved if you think this has been solved.

system · May 14, 2020, 10:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher Timestamp showing in EPOCH Elasticsearch elastic-stack-alerting	4	905	October 1, 2021
Need help with watcher to send the correct fields of result in the email Elasticsearch elastic-stack-alerting	6	1286	June 23, 2020
Watcher Email output Elasticsearch painless	2	322	December 13, 2022
Access nested aggregations in watcher's condition Elasticsearch elastic-stack-alerting	14	1853	September 10, 2020
X-Pack Watcher Email Action Formatting Question Elasticsearch elastic-stack-alerting	1	685	July 15, 2019

Transform email body response to a more readable form

Related topics