v 1.3.2 - Dashboard
Hi all,
I have created a monitor that sends an alert to Slack every time a specific ERROR in the logs is generated, it works all okay. The value we need in Slack is in the first line of the log.stack_trace field, however, the whole stack trace message is huge. How can I send the first line only? I have tried several things with Mustache without success, don’t know how to achieve this with Painless. New to these, pardon me 
This is the query:
{
“size”: 500,
“query”: {
“bool”: {
“filter”: [
{
“match_all”: {
“boost”: 1
}
},
{
“range”: {
“log.@timestamp”: {
“from”: “now-60d”,
“to”: “now”,
“include_lower”: true,
“include_upper”: true,
“format”: “epoch_millis”,
“boost”: 1
}
}
},
{
“match_phrase”: {
“log.stack_trace”: {
“query”: “message we care about in stack trace”,
“slop”: 0,
“zero_terms_query”: “NONE”,
“boost”: 1
}
}
}
],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“version”: true,
“_source”: {
“includes”: [
“log.stack_trace”,
“log.@timestamp”
],
“excludes”:
},
“sort”: [
{
“log.@timestamp”: {
“order”: “desc”,
“unmapped_type”: “boolean”
}
}
]
}
And this is the message in the action section:
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
{{#ctx.results.0.hits.hits}}
{{#_source}}
{{log.@timestamp}} - {{log.stack_trace}}
{{/_source}}{{/ctx.results.0.hits.hits}}