Greetings,
Well, I’ve figured out the alternative way to extract the fields inside {{ctx.results.0.hits.hits.0._source.*}} by using “_source” includes and excludes conditions in “Define Extraction Query”
and using {{ctx.results}} to print all “_source”“includes” fields inside the Actions Message alert. Basically, these are the steps:
- Use “_source” includes to include selected fields to be included in the results
Inside “Define Extraction Query”
{
“size”: 2, ## Make sure “size” is > 0 for the query to return _source includes fields
“query”: {
“bool”: {
“filter”: [
… "filter whatever here: time range, bool “must”, “must_not”, “should”, etc…
]
}
},
… "Include fields inside _source array to be printed out in Actions Message here
"_source": {
"includes": [
"@timestamp",
"@log_type",
"srcaddr",
"srcport",
"destination.ip",
"destination.port",
"@message",
"event.hiking_route.indicator.name",
"event.hinking_route.indicator.description"
],
"excludes": [ ]
},
"aggregations": {}
}
- Use {{ctx.results}} to print out all includes fields inside the message:
Inside Actions Message:
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Message: {{ctx.results.0.hits.hits.0._source.@message}}
- Alerts Info: {{ctx.results}}
That’s it. Simple and Easy way to see actual alerts information in the Message.