Transform email body response to a more readable form

Elastic Stack Elasticsearch
1

Hello,

I have created the following watcher alert:

    {
      "trigger": {
        "schedule": {
          "hourly": {
            "minute": [
              1,
              3,
              11,
              16,
              23,
              31,
              41,
              51
            ]
          }
        }
      },
      "input": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "simulation-connect"
            ],
            "rest_total_hits_as_int": true,
            "body": {
              "query": {
                "bool": {
                  "must": [
                    {
                      "match_phrase": {
                        "customerNr_onBehalf": {
                          "query": "1234"
                        }
                      }
                    },
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-50m"
                        }
                      }
                    }
                  ],
                  "filter": [
                    {
                      "bool": {
                        "should": [
                          {
                            "bool": {
                              "should": [
                                {
                                  "match": {
                                    "resultAddArticleToBasket": true
                                  }
                                }
                              ],
                              "minimum_should_match": 1
                            }
                          },
                          {
                            "bool": {
                              "should": [
                                {
                                  "bool": {
                                    "should": [
                                      {
                                        "match": {
                                          "resultArticleSearch": true
                                        }
                                      }
                                    ],
                                    "minimum_should_match": 1
                                  }
                                },
                                {
                                  "bool": {
                                    "should": [
                                      {
                                        "bool": {
                                          "should": [
                                            {
                                              "match": {
                                                "resultFullTextSearch": true
                                              }
                                            }
                                          ],
                                          "minimum_should_match": 1
                                        }
                                      },
                                      {
                                        "bool": {
                                          "should": [
                                            {
                                              "bool": {
                                                "should": [
                                                  {
                                                    "match": {
                                                      "resultLogout": true
                                                    }
                                                  }
                                                ],
                                                "minimum_should_match": 1
                                              }
                                            },
                                            {
                                              "bool": {
                                                "should": [
                                                  {
                                                    "bool": {
                                                      "should": [
                                                        {
                                                          "match": {
                                                            "resultLogin": true
                                                          }
                                                        }
                                                      ],
                                                      "minimum_should_match": 1
                                                    }
                                                  },
                                                  {
                                                    "bool": {
                                                      "should": [
                                                        {
                                                          "match": {
                                                            "resultVehicleSearch": true
                                                          }
                                                        }
                                                      ],
                                                      "minimum_should_match": 1
                                                    }
                                                  }
                                                ],
                                                "minimum_should_match": 1
                                              }
                                            }
                                          ],
                                          "minimum_should_match": 1
                                        }
                                      }
                                    ],
                                    "minimum_should_match": 1
                                  }
                                }
                              ],
                              "minimum_should_match": 1
                            }
                          }
                        ],
                        "minimum_should_match": 1
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      },
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gte": "1"
          }
        }
      },
      "actions": {
        "send_email": {
          "email": {
            "profile": "standard",
            "to": [
              "alexandros.ananikidis@sag-ag.ch"
            ],
            "subject": "[CH PROD] Connect CH Customer Simulation Failed",
            "body": {
              "text": "Elastic results are the following: {{#ctx.payload.hits.hits}}{{_source}}{{/ctx.payload.hits.hits}}"
            }
          }
        }
      }
    }

And the output is correctly like that:

image
image1799Ă—387 45.1 KB

Nevertheless, because as anyone can imagine it is extremely inconvenient to read how can i change the code in my alert so i can have at the end an email notification that will show the info in a more easy and clear way to read?

For example like that:

The results are the following:

Hit 1

resultLogin=true,
@timestamp=1586857855,
resultVehicleSearch=true,
resultArticleSearch=true,
resultFullTextSearch=true,
sessionID=455108a4054a4c2a93fa23cba4bc85c4,
customerNr_onBehalf=1234,
resultAddArticleToBasket=true,
resultLogout=true

Hit 2

resultLogin=true
@timestamp=1586858457,
resultVehicleSearch=true,
resultArticleSearch=true,
resultFullTextSearch=true,
sessionID=63c8aebbd39842398afa7b7399025526,
customerNr_onBehalf=1234,
resultAddArticleToBasket=true,
resultLogout=true

Hit 3....and so on

2

Hello @Alexandros888

Watcher can send emails in plaintext or HTML.
You can use the Mustache language to format your email.

In plaintext, you can use this snippet in your action.
Please consider this is not valid JSON, the triple quotes """ can be interpreted by Kibana Dev Tools and will be converted to valid JSON:

"subject": "[CH PROD] Connect CH Customer Simulation Failed",
  "body": {
    "text": """Elastic results are the following:

{{#ctx.payload.hits.hits}}
resultlogin={{_source.resultLogin}}
resultVehicleSearch={{_source.resultVehicleSearch}}
resultArticleSearch={{_source.resultArticleSearch}}
@timestamp={{_source['@timestamp']}}
{{/ctx.payload.hits.hits}}"""
  }

In html:

"subject": "[CH PROD] Connect CH Customer Simulation Failed",
  "body": {
    "html": """<h1>Elastic results are the following</h1>
<table style="width:100%">
  <tr>
    <th>resultLogin</th>
    <th>resultVehicleSearch</th>
    <th>resultArticleSearch</th>
    <th>@timestamp</th>
  </tr>
{{#ctx.payload.hits.hits}}
<tr>
    <td>{{_source.resultLogin}}</td>
    <td>{{_source.resultVehicleSearch}}</td>
    <td>{{_source.resultArticleSearch}}</td>
    <td>{{_source['@timestamp']}}</td>
</tr>
{{/ctx.payload.hits.hits}}
</table>"""
  }
1 Like
3

Luca you are AWESOME thank you very much for your solution!!!!.Much appreciated.
Just a final question if you have time, can you also tell me how to add borders and color in my table?

Thank you very much

1 Like
4

Yes, it is possible to use HTML attributes or CSS styles.

See Watcher “watcher.actions.email.html.sanitization” table attributes
E.g.

<table border='1' style='font-family:sans-serif;font-size:13px'>

Just pay attention to the HTML sanitization.
Elasticsearch will filter some HTML tags or elements.
If you see some elements are not present in the final email, it means you have to allow the element in sanitization using those settings.

1 Like
5

Hello Luca thanks for all the valuable info really appreciated great help provided.
If you have some time check whenever you can also that link where i have a question similar to that.
The issue there is how to create an html like the one that you created here but in second or even third level aggregation.

Relative link: Make the email body of my alert easier to read

In any case thanks again for that one :slight_smile:

1 Like
6

I've answered to the linked question.
Please mark this question as solved if you think this has been solved.

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.