Email Alert - how do I extract fields in the array inside ctx.results.0.hits.hits.0._source

Plugins Alerting
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
1.3

Describe the issue:
Greetings OpenSearch Experts,

How do I extract the description field below when it is in the array? See samples below as I’ve tried many ways but still no results.
Sample data:
{
“_shards”: {
“total”: 10,
“failed”: 0,
“successful”: 7,
“skipped”: 0
},
“hits”: {
“hits”: [
{
“_source”: {
“srcaddr”: “xxx.xxx.xxx.xxx”,
“dstport”: “9999”,
“destination”: {
“address”: “yyy.yyy.yyy.yyy”,
“port”: “8888”,
“ip”: “yyy.yyy.yyy.yyy”
},


“event.hiking_route”: [
{
“indicator”: {
“reference”: “https://trail.com/type/ip/aaa.aaa.aaa.aaa”,
“name”: “tripping blue”,
“description”: “mountain route with great scenery”,
“modified_at”: “2023-10-12T20:22:56Z”,
“type”: “difficult”
},
“matched”: {
“field”: [
“source.ip”,
“related.ip”
]
}
}
],


I’ve tried these extraction but still get the empty results:

  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.indicator.description}}
  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.0.indicator.description}}
  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route[0].indicator.description}}

The question is how do get the “description” data inside the ctx.results.0.hits.hits.0._source.event.hiking_route.indicator?

Configuration:

Relevant Logs or Screenshots:

2

Greetings,

Well, I’ve figured out the alternative way to extract the fields inside {{ctx.results.0.hits.hits.0._source.*}} by using “_source” includes and excludes conditions in “Define Extraction Query”
and using {{ctx.results}} to print all “_source”“includes” fields inside the Actions Message alert. Basically, these are the steps:

  1. Use “_source” includes to include selected fields to be included in the results

Inside “Define Extraction Query”
{
“size”: 2, ## Make sure “size” is > 0 for the query to return _source includes fields
“query”: {
“bool”: {
“filter”: [

… "filter whatever here: time range, bool “must”, “must_not”, “should”, etc…

]
 }

},

… "Include fields inside _source array to be printed out in Actions Message here

"_source": {
    "includes": [
        "@timestamp",
        "@log_type",
        "srcaddr",
        "srcport",
        "destination.ip",
        "destination.port",
        "@message",
    "event.hiking_route.indicator.name",
    "event.hinking_route.indicator.description"
    ],
    "excludes": [ ]
},
"aggregations": {}

}

  1. Use {{ctx.results}} to print out all includes fields inside the message:
    Inside Actions Message:
    Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
  • Trigger: {{ctx.trigger.name}}
  • Severity: {{ctx.trigger.severity}}
  • Period start: {{ctx.periodStart}}
  • Period end: {{ctx.periodEnd}}
  • Message: {{ctx.results.0.hits.hits.0._source.@message}}
  • Alerts Info: {{ctx.results}}

That’s it. Simple and Easy way to see actual alerts information in the Message.

3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.