Triggered esql alert rule does not expose document results

Elastic Stack Elasticsearch
,
1

Hello,

I'm looking for some help with getting an ESQL query based alert to expose the documents results so that it can be used in the customDetails of the pagerduty payload when triggered.

Looking at the an example of a triggered alert the documents or results are not available but things like the query, alert name etc are available and can be used.

Is this a feature that can be worked on or am I missing something to make the results available?

Below are some details giving an example of what I've done.

  1. An ESQL query returns the below result of Heartbeats.

    image
    image1616×142 6.47 KB

  2. The query is put into an alert that has the below payload in the Pagerduty custom details

{"results":"{{#context.hits}}{{fields.Heartbeats}}{{/context.hits}}"}

  1. The resulting alert triggered in Pagerduty has no field returned.

    image
    image772×118 1.11 KB

  2. If I go to the triggered alert in elastic and view the details, I cannot see the context data for the documents that triggered the alert either.

  3. I've tried variations of the usage described in this document but it's just not working to get the context data.

  • List item

Thank you!

1 Like
2

Hello @FPTravStan

I think I can help,
You can always test the document results are located by using {{.}}
So here's my short example:
Here's my sample simple ES|QL Query:

FROM logs-*
| WHERE source.bytes is not null and agent.name is not null
| STATS total_bytes = SUM(source.bytes) BY agent.name
| LIMIT 5

The expected output is:

image
image1124×336 20.4 KB

Now to connector, I use normally use email, here's the body

|||
| - | - |
| Total Bytes | Agent |
{{#context.hits}}
| {{_source.total_bytes}} | {{_source.agent.name}} |
{{/context.hits}}

image
image719×352 12.3 KB

As you can see, I am using {{source.agent.name}} and {{source.total_bytes}} within {{context hits}}.

Then end result:

image
image739×340 13.5 KB

Sidebar:
I been asking Elastic to improve their ability to get contextual information more easily in alerts, as a 'match' is useless.

1 Like
3

Hi @erikg ,

Thank you for taking the time to help me with this, I misread the usage of the _source field so that all makes sense now :laughing:

I have just tried it out and it works for the Pagerduty connector, now all I need to do is format it nicely within the json payload.

Thanks again!

1 Like