Alerting based on dynamic email returned from a document

Hi there,

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
I’m using the last version of Opensearch and Opensearch Dashboards

Describe the issue:
I’m making a monitor with an extraction query which is returning me a status (up or down) and an email adress.

I would like to make a trigger which would send a specific email to the adress previously returned from the extraction query.

Is that possible?

I planned to use some variable like :

ctx.results[0].aggregations.latest_status.hits.hits[0]._source.email_adress

But I have the feeling it’s maybe not possible.

In the configuration, I made the email senders and the email recipiens groups but with fixed email adresses.

@vincent2mots Could you share a full alert definition?

Hi @pablo , of course!

My use case is the following : I want to send an email when network equipments are not reachable.

I made an extraction query like this :

{
    "size": 0,
    "query": {
        "range": {
            "datetime": {
                "from": "now-1m",
                "to": null,
                "include_lower": true,
                "include_upper": true,
                "boost": 1
            }
        }
    },
    "aggregations": {
        "distinct_status_count": {
            "cardinality": {
                "field": "status"
            }
        },
        "latest_status": {
            "top_hits": {
                "from": 0,
                "size": 1,
                "version": false,
                "seq_no_primary_term": false,
                "explain": false,
                "_source": {
                    "includes": [
                        "status",
                        "mail"
                    ],
                    "excludes": []
                },
                "sort": [
                    {
                        "datetime": {
                            "order": "desc"
                        }
                    }
                ]
            }
        }
    }
}

The purpose of this query is to get the status and the email adress where send the notification

Then I made two triggers : one when the status change to down and the other when it changes to up.

The first trigger condition (change_status_down) is the following one :

// If the cardinality aggregation value is greater than 1 (there is a change of status)
// AND the latest status value received is "down" : it's a breakdown
if (ctx.results[0].aggregations.distinct_status_count.value > 1 && ctx.results[0].aggregations.latest_status.hits.hits[0]._source.status.equals("down") ) {
	return true
} else {
    return false
}

The query and the trigger works fine. But now, I would like to re-use the email adress I get from the document to send the notification and it seems not to be possible

Best regards,

Hi @pablo , did you have time to see my response?

@vincent2mots Thanks for the detailed explanation. To send notifications with Email, Slack or other actions, you need to first create a Channel. This object must exist before defining the Monitor itself. Therefore the output of the query can’t be used to define a new Channel dynamically.

Thanks @pablo for you answer

I think it would be a very good enhancement for future releases :slight_smile:

@vincent2mots If you’d like to report it as a feature request, then please create it in the OpenSearch GitHub

If you do so, please share the link to the FR here.