Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
1.3
Describe the issue:
Greetings OpenSearch Experts,
How do I extract the description field below when it is in the array? See samples below as I’ve tried many ways but still no results.
Sample data:
{
“_shards”: {
“total”: 10,
“failed”: 0,
“successful”: 7,
“skipped”: 0
},
“hits”: {
“hits”: [
{
“_source”: {
“srcaddr”: “xxx.xxx.xxx.xxx”,
“dstport”: “9999”,
“destination”: {
“address”: “yyy.yyy.yyy.yyy”,
“port”: “8888”,
“ip”: “yyy.yyy.yyy.yyy”
},
…
…
“event.hiking_route”: [
{
“indicator”: {
“reference”: “https://trail.com/type/ip/aaa.aaa.aaa.aaa”,
“name”: “tripping blue”,
“description”: “mountain route with great scenery”,
“modified_at”: “2023-10-12T20:22:56Z”,
“type”: “difficult”
},
“matched”: {
“field”: [
“source.ip”,
“related.ip”
]
}
}
],
…
…
I’ve tried these extraction but still get the empty results:
- Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.indicator.description}}
- Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.0.indicator.description}}
- Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route[0].indicator.description}}
The question is how do get the “description” data inside the ctx.results.0.hits.hits.0._source.event.hiking_route.indicator?
Configuration:
Relevant Logs or Screenshots:
Greetings,
Well, I’ve figured out the alternative way to extract the fields inside {{ctx.results.0.hits.hits.0._source.*}} by using “_source” includes and excludes conditions in “Define Extraction Query”
and using {{ctx.results}} to print all “_source”“includes” fields inside the Actions Message alert. Basically, these are the steps:
- Use “_source” includes to include selected fields to be included in the results
Inside “Define Extraction Query”
{
“size”: 2, ## Make sure “size” is > 0 for the query to return _source includes fields
“query”: {
“bool”: {
“filter”: [
… "filter whatever here: time range, bool “must”, “must_not”, “should”, etc…
]
}
},
… "Include fields inside _source array to be printed out in Actions Message here
"_source": {
"includes": [
"@timestamp",
"@log_type",
"srcaddr",
"srcport",
"destination.ip",
"destination.port",
"@message",
"event.hiking_route.indicator.name",
"event.hinking_route.indicator.description"
],
"excludes": [ ]
},
"aggregations": {}
}
- Use {{ctx.results}} to print out all includes fields inside the message:
Inside Actions Message:
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Message: {{ctx.results.0.hits.hits.0._source.@message}}
- Alerts Info: {{ctx.results}}
That’s it. Simple and Easy way to see actual alerts information in the Message.