Should I be using {{rule.name}} instead of {{context.0.kibana.alert.rule.name}}?
and How can I debug when the webhook is not being sent for triggered alerts?
Any guidance on the correct variable syntax and debugging steps would be appreciated.
Hi @Rayleigh , there are potentially two issues here - the variable syntax and the webhook not being sent at all.
For the action definition, I’d suggest using the “For each alert” action frequency (if you’re not already) since you want to include a field kibana.alert.uuid that is unique to each alert. The variable syntax to access those values then would be e.g. {{context.alerts.0.kibana.alert.rule.name}}. If you instead want to include all alerts in a single webhook request, you can use “Summary of alerts” instead of “For each alert” and iterate over the array context.alerts using the syntax {{#context.alerts}} and reference fields of each alert like {{kibana.alert.rule.name}} - see Create a detection rule | Elastic Docs for examples. context.alerts will always be an array, but with “For each alert” it will be an array with only one alert in it.
The screenshot below shows how I set up a similar connector body with “For each alert” frequency and modified context variable names.
Debugging the webhook not being sent at all is a bit trickier. I’d suggest checking the Kibana server logs to see if any errors are present there. I’d also suggest checking logs/debugging the server the webhook is being sent to, if possible. Since the fields in the webhook were not being populated due to the variable names being incorrect, validation on the receiving end could be rejecting the webhook. If you can provide more details about the webhook setup (where the request is being sent to, any proxies in between, etc) I can try to give more detailed advice.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
