How to include message fields in the Alert Action Message for Per query monitor

OS Version: 2.11

Describe the issue:
I have built a per-query monitor in open search. This monitor includes specific data filters that are designed to activate an alert message when certain conditions are met. This monitor is fully functional and producing the expected results.
Now I would like to incorporate the message (in bold) field from the source log into the alert message. Below is the actual source log I’ll be referring to.

{ “@timestamp”: “2024-01-31T19:02:47.289Z”, “time”: “2024-01-31T19:02:47.289739655Z”, “stream”: “stderr”, “logtag”: “F”, “message”: “[31-Jan-2024 19:02:47] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it”, “kubernetes”: { “pod_name”: “XXXXX”, “namespace_name”: “XXXX”, “pod_id”: “a4a8b6a5-f829-4b72-99e6-c5305920e43c”, “labels”: { “app”: “XXXX”, “pod-template-hash”: “675d7d7988”, “zone”: “XXXX” }, “host”: “XXXXXX”, “container_name”: “web”, “docker_id”: “a4a8b6a5-f829-4b72-99e6-c5305920e43c”, “container_image”: “XXXXXXXX” } }

I attempted to retrieve the message field using ctx.results.0, which is an array containing the query result exclusively. Unfortunately, the message field was not included in the results array.

I would be very grateful if someone could kindly provide me with an example of how to accomplish this task.

Hi,

what you need is explanied here:

and here:

And I had to add this to my message-field:

“Message”:{“type”:“text”,
“fields”:{“keyword”:{“type”:“keyword”,
“ignore_above”:256}},
“fielddata”:true},

Hope, it helps.

does this also work for “per document monitor”?

Hi @Juergen,

Thanks for your response. I made some adjustments to the monitor method based on your suggestions. Specifically, I changed it from the Visual editor to the Extraction query editor. In the extraction query, I added all the fields as mentioned below:

{
“size”: 0,
“query”: {
“bool”: {
“filter”: [
{
“range”: {
“@timestamp”: {
“from”: “{{period_end}}||-1h”,
“to”: “{{period_end}}”,
“include_lower”: true,
“include_upper”: true,
“format”: “epoch_millis”,
“boost”: 1
}
}
},
{
“match_phrase”: {
“kubernetes.namespace_name”: {
“query”: “namespace_name”,
“slop”: 0,
“zero_terms_query”: “NONE”,
“boost”: 1
}
}
},
{
“query_string”: {
“query”: “CRITICAL OR ERROR OR WARNING”,
“default_field”: “message”,
“fields”: ,
“type”: “best_fields”,
“default_operator”: “or”,
“max_determinized_states”: 10000,
“enable_position_increments”: true,
“fuzziness”: “AUTO”,
“fuzzy_prefix_length”: 0,
“fuzzy_max_expansions”: 50,
“phrase_slop”: 0,
“escape”: false,
“auto_generate_synonyms_phrase_query”: true,
“fuzzy_transpositions”: true,
“boost”: 1
}
}
],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“version”: true,
“_source”: {
“includes”: ,
“excludes”:
},
“stored_fields”: “*”,
“docvalue_fields”: [
{
“field”: “@timestamp”,
“format”: “date_time”
},
{
“field”: “message”,
“format”: “string”
}
]
}

I received the following response:

{
“_shards”: {
“total”: 5,
“failed”: 0,
“successful”: 5,
“skipped”: 0
},
“hits”: {
“hits”: ,
“total”: {
“value”: 1,
“relation”: “eq”
},
“max_score”: null
},
“took”: 17,
“timed_out”: false
}

Despite these changes, I’m still not getting the message field in the response. Do you think there’s something I might have missed? I would appreciate your thoughts on it.

Hi,

I struggeled at the same point. If I did it like in this post, I solved my problems:

image1084×290 24.1 KB

That’s what he explained to get the right json for a query:

image1853×578 116 KB

At part 2, create your query/filter…

And also with the field mapping from my first post …

Hi @Juergen,

It’s worked for me.

Thanks a lot !!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.