Alerting Query not working in Elasticsearch kabana open distro

I am unable to get the result set for the wazuh logs comming in in my alerting queries.

I am just tryinng to see if logs are there alert on the eventName using the Mustache query.

Alerts goes to slack channel.

this is my Monitor Extraction Query Response preview:
“_shards”: {
“total”: 366,
“failed”: 0,
“successful”: 366,
“skipped”: 0
“hits”: {
“hits”: ,
“total”: {
“value”: 10000,
“relation”: “gte”
“max_score”: null
“took”: 103,
“timed_out”: false

This is my Trigger condition:
ctx.results[0] > 0

In the screenshot, I have the data which I am alerting on.

Hi @schauhan,

The inner hits object is an array so you would have to specify the index if you wanted to access a particular search hit:


Or if you wanted to iterate through all of your hits and get that field for each one you could do:


Assuming you’re looking for those fields under the _source of the results, in which case, you’d want to add that in either case.

Thanks, @qreshi will try this out and let you know if I face any issue.