Email Alert - how do I extract fields in the array inside ctx.results.0.hits.hits.0._source

apaws06 · October 18, 2023, 3:52pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
1.3

Describe the issue:
Greetings OpenSearch Experts,

How do I extract the description field below when it is in the array? See samples below as I’ve tried many ways but still no results.
Sample data:
{
“_shards”: {
“total”: 10,
“failed”: 0,
“successful”: 7,
“skipped”: 0
},
“hits”: {
“hits”: [
{
“_source”: {
“srcaddr”: “xxx.xxx.xxx.xxx”,
“dstport”: “9999”,
“destination”: {
“address”: “yyy.yyy.yyy.yyy”,
“port”: “8888”,
“ip”: “yyy.yyy.yyy.yyy”
},
…
…
“event.hiking_route”: [
{
“indicator”: {
“reference”: “https://trail.com/type/ip/aaa.aaa.aaa.aaa”,
“name”: “tripping blue”,
“description”: “mountain route with great scenery”,
“modified_at”: “2023-10-12T20:22:56Z”,
“type”: “difficult”
},
“matched”: {
“field”: [
“source.ip”,
“related.ip”
]
}
}
],
…
…
I’ve tried these extraction but still get the empty results:

Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.indicator.description}}
Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route.0.indicator.description}}
Event Description: {{ctx.results.0.hits.hits.0._source.event.hiking_route[0].indicator.description}}

The question is how do get the “description” data inside the ctx.results.0.hits.hits.0._source.event.hiking_route.indicator?

Configuration:

Relevant Logs or Screenshots:

apaws06 · October 23, 2023, 4:02pm

Greetings,

Well, I’ve figured out the alternative way to extract the fields inside {{ctx.results.0.hits.hits.0._source.*}} by using “_source” includes and excludes conditions in “Define Extraction Query”
and using {{ctx.results}} to print all “_source”“includes” fields inside the Actions Message alert. Basically, these are the steps:

Use “_source” includes to include selected fields to be included in the results

Inside “Define Extraction Query”
{
“size”: 2, ## Make sure “size” is > 0 for the query to return _source includes fields
“query”: {
“bool”: {
“filter”: [

… "filter whatever here: time range, bool “must”, “must_not”, “should”, etc…

]
 }

},

… "Include fields inside _source array to be printed out in Actions Message here

"_source": {
    "includes": [
        "@timestamp",
        "@log_type",
        "srcaddr",
        "srcport",
        "destination.ip",
        "destination.port",
        "@message",
    "event.hiking_route.indicator.name",
    "event.hinking_route.indicator.description"
    ],
    "excludes": [ ]
},
"aggregations": {}

}

Use {{ctx.results}} to print out all includes fields inside the message:
Inside Actions Message:
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

Trigger: {{ctx.trigger.name}}
Severity: {{ctx.trigger.severity}}
Period start: {{ctx.periodStart}}
Period end: {{ctx.periodEnd}}
Message: {{ctx.results.0.hits.hits.0._source.@message}}
Alerts Info: {{ctx.results}}

That’s it. Simple and Easy way to see actual alerts information in the Message.