Hi,
My log looks like below. From that I am able to extract each filed individually while sending alert message like (_source.Records.eventID), but how can I extract complete json? like (_source.Records) but its not working.
Here is what I am passing for message under actions.
"title": "{{#ctx.results.0.hits.hits}}{{ctx.results.0.hits.hits.}}
MESSAGE: {{_source.Records.eventID}}{{/ctx.results.0.hits.hits}}"
above configuration is working but I want complete Records filed like {{_source.Records}}. How can I achieve this?
log:
{
"_index": "test",
"_type": "_doc",
"_source": {
"@timestamp": "2020-05-03T23",
"@version": "1",
"Records": {
"eventID": "abdc123",
"awsRegion": "us-east-1",
"responseElements": {
"arn": "arn",
"userId": "id",
"account": "1234"
},
"eventVersion": "1.0",
"sourceIPAddress": "0.0.0.0",
"eventSource": "sts.amazonaws.com",
"requestParameters": null,
"userAgent": "http-client",
"userIdentity": {
"sessionContext": {
"sessionIssuer": {
"accountId": "1234",
"principalId": "id",
"arn": "arn:aws:iam::",
"type": "Role",
"userName": "name"
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-03-13"
}
},
"accessKeyId": "id",
"accountId": "1234",
"principalId": "id",
"type": "AssumedRole",
"arn": "arn:aws:sts::"
},
"eventType": "AwsApiCall",
"requestID": "id",
"eventTime": "2020-03-13T",
"eventName": "Identity",
"recipientAccountId": "1234"
}