Have you added the needed fields to stored_fields in a query editor?
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "container.name",
"format": "string"
},
{
"field": "host",
"format": "string"
},
{
"field": "m.alert.severity",
"format": "string"
},
{
"field": "m.alert.name",
"format": "string"
},
{
"field": "m.stackTrace",
"format": "string"
}
And then you should define those field in the Action:
Monitor {{ctx.monitor.name}} just entered ALERT status. Please investigate the issue.
- Alert time: {{ctx.periodStart}}
{{#ctx.results.0.hits.hits}}
> {{_source.container.name}} - {{_source.host}} - {{_source.m.alert.severity}}
> {{_source.m.alert.name}}
> {{_source.m.stackTrace}}
{{/ctx.results.0.hits.hits}}