Using Observability Alerts for Slack: Why am I unable to post both the context.value and the aggregation A value that's used to calculate context.value?

Elastic Stack Kibana
1

Hello, I've set up observability alerts with Elastic/Kibana, but have run into such a simple issue:

When an alert triggers, it only shows the value that triggered the alert (e.g. the error rate above a certain threshold, but there are no variables I can pass to slack to reveal the count that creates it. In this example, aggregation A is the number of errors, aggregation B is the total number of records, and the only accessible value I can send from the alert is the calculation I perform (A / B)... why?

Is there some sort of undocumented strategy in showing both the count of A & the percentage (A / B)?

Thanks

2

Hi @walk Welcome to the community!

Hmmm I put an alert like this together with and A and B equation.

And I could not get the Separate Aggregation either, there is a lot of information including what A and B are, but the values are not there. I think you will need to open a feature request for that.

BTW Pro Tip if you every want to see everything available in an action, put this is the action and force and alert

Full Context
{{.}}

I notice this in that payload.. but the only value is the full computed value...

	"rule": {
		"params": {
			"criteria": [
				{
					"comparator": ">",
					"metrics": [
						{
							"name": "A",
							"field": "system.load.1",
							"aggType": "avg"
						},
						{
							"name": "B",
							"field": "system.load.15",
							"aggType": "avg"
						}
					],
					"threshold": [
						1
					],
					"timeSize": 1,
					"timeUnit": "m",
					"equation": "A / B",
					"label": "Ratio of Load 1m and 15m"
				}
			],
			"alertOnNoData": false,
			"alertOnGroupDisappear": true,
			"searchConfiguration": {
				"query": {
					"query": "data_stream.dataset : \"system.load\" ",
					"language": "kuery"
				},
				"index": "metrics-*"
			},
			"groupBy": [
				"host.name"
			]
		},

You could very easily link the alert to a visualization or ESQL Query that would show all three A , B, A/B... but I get the idea of seeing the values but I do not see them.

I will poke around a bit more and see if I can find something else.

3

BTW just a thought This Elasticsearch query rule written in ES|QL does show all the values

FROM metrics-*
| STATS load_1m = AVG(`system.load.norm.1`), load_15m = AVG(`system.load.norm.15`) by host.name
| EVAL load_ratio = load_1m / load_15m
| where load_ratio > 1

With full context does show all

"context": {
		"title": "rule 'ESQL Load Ratio' matched query",
		"date": "2025-02-09T02:03:37.596Z",
		"value": 3,
		"hits": [
			{
				"_id": "esql_query_document",
				"_index": "",
				"_source": {
					"load_1m": 0.07451724137931034,
					"load_15m": 0.06896551724137931,
					"host.name": "default-pool-432f31cc-cdkw",
					"load_ratio": 1.0805,
					"host": {
						"name": "default-pool-432f31cc-cdkw"
					}
				}
			},
			{
				"_id": "esql_query_document",
				"_index": "",
				"_source": {
					"load_1m": 0.2659310344827586,
					"load_15m": 0.11451724137931035,
					"host.name": "default-pool-1d158066-kgpr",
					"load_ratio": 2.322192110809997,
					"host": {
						"name": "default-pool-1d158066-kgpr"
					}
				}
			},
			{
				"_id": "esql_query_document",
				"_index": "",
				"_source": {
					"load_1m": 0.0774,
					"load_15m": 0.05603333333333334,
					"host.name": "default-pool-432f31cc-8jdw",
					"load_ratio": 1.3813206424747173,
					"host": {
						"name": "efault-pool-432f31cc-8jdw"
					}
				}
			}
		],

Problem with this is, this type of rule does not support Group by so all the hits come in one payload...