is there any way the emails are sent separately for each alert notification in the watcher?
as we received several alerts on our team, we preferred that they come separately.
hello @spinscale , thanks so much for the help! I tried using foreach but the alerts are still coming in the same email and not in separate emails.
here is the structure of my watcher:
"trigger": {
"schedule": {
"interval": "3m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"log"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"action": "Prevent"
}
},
{
"match": {
"severity": "Critical"
}
},
{
"exists": {
"field": "attack"
}
},
{
"range": {
"@timestamp": {
"gte": "now-2m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"send_email": {
"foreach": "ctx.payload.hits.hits",
"max_iterations": 500,
"email": {
"profile": "standard",
"to": [
"mail@mail.com"
],
"subject": "ELK TEST WATCHER",
"body": {
"html": """<table style=" width: 100%; text-align: center;"> <tr >
THIS IS A TEST"""
}
}
}
}
}
can you tell me if there's something wrong?
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.