Hi ,
I want to know how can i add the below extraction mustache query in the action phase
Severity: {{ctx.trigger.severity}}
I want to get this information in the mail notification because i can see the " Severity: {{ctx.trigger.severity}} " where as i am not able to see other fields like source IP login username and destination IP
Please help me how can i configure this correctly
thanks
Hi @dilipchiru,
Please see our documentation specifying the fields that are available from the context variable: Monitors - Open Distro Documentation
Are you referring to ctx.username as in using Alerting + Security or are these fields something returned by your search query? If they are returned by the search query you can access them via ctx.results[0] and navigating down to your search results using . key ..
Thanks,
Lucas
My template is as below. However, {{ctx.results[0].hits.hits[0].audit_request_effective_user}} and {{ctx.results[0].hits.total}} don’t work. how to correct this issue?
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- User: {{ctx.results[0].hits.hits[0].audit_request_effective_user}}
- Count: {{ctx.results[0].hits.total}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
thanks
Hi @lindahu1, as the docs note, “If you want to use the ctx.results variable in a message, use {{ctx.results.0}} rather than {{ctx.results[0]}} . This difference is due to how Mustache handles bracket notation.”
I am trying to send results data inside the Kibana Alert to Slack. In the Trigger action message dialog, I had to use {{ctx.results.0.hits.total.value}}, otherwise the message preview shows [object Object]. I only found out what kind of object it was when it was displayed in the test message sent to Slack: {value=28, relation=eq} Then again the results were not the same, the preview showed 104, while the test message showed 28.
Also, {{ctx.results.0.hits.hits}} has no display in the preview, and an empty array in the test message despite the total being more than 0.
Can anyone help? Is there anything wrong with my setup?
I’m having the same issue, using the example web log data. {{ctx.results.0.hits.hits}} is empty, in the preview as well as in the email. Did you find a solution, or does anyone know why?
{
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [],
"total": {
"value": 6,
"relation": "eq"
},
"max_score": null
},
"took": 3,
"timed_out": false
}
Ok just figured it out, thanks to How to include document fields in query to send them with alerts? · Issue #166 · opendistro-for-elasticsearch/alerting · GitHub
My query had "size": 0" 
Hi guys I want to use my log message also part of my alert… But in the Error message part am getting empty value only… For triggering am using visual graph
can u guys help me find how to send log message via alert?
Monitor {{ctx.monitor.name}} just entered alert status.