Using document properties in alert index rule

Hi,
I'm using Elasticsearch and Kibana 7.16.2, and I'm trying to create custom alerts rules.
I've created a rule which is using an index action and everything is nearly OK, but my question is: how can I include properties from document data matching my rule conditions?
For example: if I create a rule on property "system.filesystem.used.pct", how can I include the matching host name in connector document?
Best regards,
Thierry

Hi Thierry :wave:

It depends on the specific rule type.
Some rules support individual documents, while others don't, depending on their query strategy (aggregation-based rules, for example, don't have access to the individual documents).

If you need access to individual documents, I suggest using the ES Query rule type, as it provides the context.hits variable that gives you access to the individual docs.

Cheers

Hi Gidi,
Thank you for your reply!
Actually my alert rule is a standard "Uptime monitor status". Is there a way to get the Elasticsearch query which is used by this rule to use it in a custom ES query rule type?
Best regards,
Thierry

Hi @tflorac,

Dominique from Uptime here. For Uptime rules, you have access to a few data points when the alert is triggered, including monitor name, monitor id, monitor URL, monitor type, observer hostname, observer location, and latest error. In the index connector, you can access these variables the same way you can in other connector types, with data interpolation. Here I have pictures an example of all the data points we have available and how you can configure the data within your index connector.

I know you mentioned wanting to include the host name for the affected monitor in your documents. Unfortunately, we don't include host and port separately in the alert state, but you can derive that information from the monitor URL. Is that sufficient for your use case? Please let us know if you'd like to see host and port tracked separately in the future.

Thanks!
Dominique

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.