Email Alert - how do I extract fields in the array inside ctx.results.0.hits.hits.0._source

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
Greetings OpenSearch Experts,

How do I extract the description field below when it is in the array? See samples below as I’ve tried many ways but still no results.
Sample data:
“_shards”: {
“total”: 10,
“failed”: 0,
“successful”: 7,
“skipped”: 0
“hits”: {
“hits”: [
“_source”: {
“srcaddr”: “”,
“dstport”: “9999”,
“destination”: {
“address”: “yyy.yyy.yyy.yyy”,
“port”: “8888”,
“ip”: “yyy.yyy.yyy.yyy”

“event.hiking_route”: [
“indicator”: {
“reference”: “”,
“name”: “tripping blue”,
“description”: “mountain route with great scenery”,
“modified_at”: “2023-10-12T20:22:56Z”,
“type”: “difficult”
“matched”: {
“field”: [

I’ve tried these extraction but still get the empty results:

  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.indicator.description}}
  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.0.indicator.description}}
  • Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route[0].indicator.description}}

The question is how do get the “description” data inside the ctx.results.0.hits.hits.0._source.event.hiking_route.indicator?


Relevant Logs or Screenshots:


Well, I’ve figured out the alternative way to extract the fields inside {{ctx.results.0.hits.hits.0._source.*}} by using “_source” includes and excludes conditions in “Define Extraction Query”
and using {{ctx.results}} to print all “_source”“includes” fields inside the Actions Message alert. Basically, these are the steps:

  1. Use “_source” includes to include selected fields to be included in the results

Inside “Define Extraction Query”
“size”: 2, ## Make sure “size” is > 0 for the query to return _source includes fields
“query”: {
“bool”: {
“filter”: [

… "filter whatever here: time range, bool “must”, “must_not”, “should”, etc…



… "Include fields inside _source array to be printed out in Actions Message here

"_source": {
    "includes": [
    "excludes": [ ]
"aggregations": {}


  1. Use {{ctx.results}} to print out all includes fields inside the message:
    Inside Actions Message:
    Monitor {{}} just entered alert status. Please investigate the issue.
  • Trigger: {{}}
  • Severity: {{ctx.trigger.severity}}
  • Period start: {{ctx.periodStart}}
  • Period end: {{ctx.periodEnd}}
  • Message: {{ctx.results.0.hits.hits.0._source.@message}}
  • Alerts Info: {{ctx.results}}

That’s it. Simple and Easy way to see actual alerts information in the Message.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.