Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.13.0
Describe the issue:
I have a bucket level monitor with the following query:
{
"size": 1,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"MESSAGE": {
"query": "*connection failed*",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"composite_agg": {
"composite": {
"size": 10,
"sources": [
{
"hostname": {
"terms": {
"field": "hostname",
"missing_bucket": false,
"order": "asc"
}
}
}
]
}
}
}
}
The index/documents this query is used on has also a field named “MESSAGE”. I want to include that field named “MESSAGE” into the notification message but not use group by on it in the query.
ctx.results.0.hits.hits does not work here because I want the “MESSAGE” field from one of the grouped by elements and not a random “MESSAGE” field value.
Does anybody have an idea how to do that?
btw.: the new sample_documents would work here but I want that not only for newAlerts but also for dedupedAlerts and completedAlerts and sample_documentsonly works for newAlerts.