Alerting - group by not showing on alerts summary page

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.19.2

Describe the issue: When using ‘group by’ in an alerting rule, this is correct on the preview but ‘-’ in the alert summary

Relevant Logs or Screenshots:

Preview correct

Screenshot 2025-08-24 at 11.08.263812×1906 337 KB

Summary shows meta.host.name as ‘-’

Screenshot 2025-08-24 at 11.10.363782×802 151 KB

Is this a bug ? seems similar got reported in the earlier 2.x releases. If not, what am i doing wrong

Hey @coredump17 ,

Is it possible you could share a sample log which includes the meta.host.name as well as the rest of the information and anything you did when creating the alert?

Thanks,

Leeroy.

Hi,

Below is an example document

{
  "_index": ".ds-syslog",
  "_id": "N75925gBvsYetcCIWFC7",
  "_score": 1,
  "_source": {
    "message": "Base SECURITY-MINOR-ssh_user_login_failed-2011 [test2]:  User test2 from 10.176.57.164 failed authentication",
    "meta": {
      "host": {
        "name": "test-met-1a",
        "type": "NOKIA-TiMOS"
      }
    },
    "nokia": {
      "facility": "SECURITY",
      "hostname": "test-met-1a",
      "pri": "187",
      "severity": "MINOR",
      "srcip": "10.10.10.10",
      "subject": "ssh_user_login_failed-2011",
      "timestamp": "Aug 24 09:51:20",
      "vrtr_name": "Base"
    },
    "syslog": {
      "facility": "local7",
      "host": "10.10.10.10",
      "priority": 187,
      "severity": "minor",
      "timestamp": "2025-08-24T09:51:20.688Z"
    }
  },
  "fields": {
    "meta.collector.timestamp": [
      "2025-08-24T09:51:20.688Z"
    ],
    "syslog.timestamp": [
      "2025-08-24T09:51:20.688Z"
    ]
  }
}

The above screen shots show the alert creations. I have tried this with ha few other nested fields with different documents - all seem to result in a ‘-’. Wondering if the capital letter in the header has something to do with it ?

host.meta.name is a keyword. The alert is counting the number of subjects that match ‘ssh_user_login_failed-2011’, grouping by meta.host.name and alarming if > 9

Alert from API (/_plugins/_alerting/monitors/alerts?alertState=ACTIVE) - we can see this shows the correct agg keys.

"alerts": [
    {
      "id": "OnU-6JgBRmFLcQ6F2tFl",
      "version": 8,
      "monitor_id": "BPXQ9ZEB3EK2NoRz1r53",
      "workflow_id": "",
      "workflow_name": "",
      "associated_alert_ids": [],
      "schema_version": 5,
      "monitor_version": 6,
      "monitor_name": "NOKIA-SSH_USER_LOGIN_FAILED",
      "execution_id": "BPXQ9ZEB3EK2NoRz1r53_2025-08-26T21:18:09.993508361_e6fa73ee-99ba-49f1-8c4b-255724c414ad",
      "trigger_id": "A_XQ9ZEB3EK2NoRz1r5k",
      "trigger_name": "NOKIA_FAILED_LOGIN_COUNT",
      "finding_ids": [],
      "related_doc_ids": [],
      "state": "ACTIVE",
      "error_message": null,
      "alert_history": [],
      "severity": "3",
      "action_execution_results": [],
      "start_time": 1756243090010,
      "last_notification_time": 1756243090010,
      "end_time": null,
      "acknowledged_time": null,
      "agg_alert_content": {
        "parent_bucket_path": "composite_agg",
        "bucket_keys": [
          "test-met-1a"
        ],
        "bucket": {
          "doc_count": 12,
          "key": {
            "meta.host.name": "test-met-1a"
          }
        }
      }
    }
....SNIP

hey @coredump17 ,

I done some testing and it seems you’re right it does look that with nested fields I can’t get it to output anything other than “-”.

Could you send on the bug report you seen for earlier versions?

If the bug differs I suggest submitting a new bug in relation that this can be worked on and fixed.

Leeroy.

@Leeroy - thanks for taking the time to look. I have opened a new bug report https://github.com/opensearch-project/alerting-dashboards-plugin/issues/1292

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.