Watcher Alerts - including aggregated fields in emails

I'm having trouble with a new watcher I want to set up. I need to monitor for traffic coming in from a group of proxies, aggregate some fields from the records, and send out an email containing those fields if the condition is met. The problem is, not all of the fields are present in all of the transactions I am picking up.

When I try and write out the hits in my payload I just list out the aggs I have defined, but anytime a record encounters a blank field the rest of the payload is truncated - ie, if I pull field1 field2 field3 and field4 in my aggs, and field2 for a particular transaction is blank, the watcher will only write out field1 for that transaction even if 3 and 4 contain data. Also a blank field will mean any subsequent HTML tags I've included will be ignored. I want to be able to create a report and just include all the available fields from each record in the payload.

Any ideas on how I can force the watcher to include all available fields for each record in the payload in the email, and not truncate a record if one of the aggs is empty?

For reference - here's the code snippet from the email action:

    "subject": "ElasticAlert - {{}} statusCd 4xx/5xx errors for Proxies in last 12 hours",
    "body": {
      "html": "<b> Transactions with Status Code 4xx/5xx</b><br><br>{{#ctx.payload.aggregations.starttime.buckets}}{{key}} <b>Status Code: </b>{{#statuscode.buckets}}{{key}} <b>Error: </b>{{#errormsg.buckets}}{{key}} <b>Reason: </b>{{#errorreason.buckets}}{{key}} <b>App:</b> {{#appl.buckets}}{{key}} <b>Client:</b> {{#client.buckets}}{{key}}<br>{{/client.buckets}}{{/appl.buckets}}{{/errorreason.buckets}}{{/errormsg.buckets}}{{/statuscode.buckets}}{{/ctx.payload.aggregations.starttime.buckets}}"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.