stmx38
August 27, 2020, 9:20pm
21
I did a test configuration above using the ‘query’ and ‘chart’. With the ‘query’ I got all required fileds in the messages but with ‘chart’ no, like in your case. It should be investigated why - maybe it is not supported at all.
For you case you can create a test Monitor with the following data:
Query
{
"size": 1000,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"product": {
"query": "*Mobile Access*",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"status": {
"query": "failure",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}
And then create a Trigger with the alert and use ctx iteration in the message.
1 Like
Thanks @stmx38 !!
This actually solved it
Best regards.
1 Like
Hey @stmx38
Could you kindly assist me with writing a query for a monitor that is using more than two terms that one of them is “NOT” X, for example:
That is what I wrote (as far as I understand on how it should work):
{
"size": 1000,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"product": {
"query": "*IPS*",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"not action": {
"query": "*drop*",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"dst": {
"query": "10.10.10.10",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}
Is that correct?
Also, is there an easy-to-understand documentation on writing queries?
Thanks again!
1 Like
stmx38
August 28, 2020, 7:50pm
24
Your filter in KQL looks like:product: "*IPS*" AND dst: “172.16.11.1” AND NOT action: “drop”`
In full-text query it may look like this one
{
"size": 1000,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"product": {
"query": "*IPS*",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"dst": {
"query": "172.16.11.1",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"must_not": [
{
"match": {
"action": {
"query": "*drop*",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}
In the Discover we can see our current query in the full-text form inside: Inspect --> Request:
Some additional documentation can be found here:
Full-text queries Full text queries
stmx38
August 28, 2020, 8:08pm
25
On the creen you provided I see 3 conditions and it looks like it is done in the process of the Monitor definition.
In my Kibana I didn’t find a way to configure more than one condition:
How did you do it?
Hey @stmx38 ,
Thanks!
Regarding the 3 conditions,
Regarding full-text query of:IPS ”` AND dst: “x.x.x.x” AND NOT action: “drop”
If I want to write “contains” instead of “is”, what do i need to change in the code above?
Thanks again, much appreciation.
stmx38
August 29, 2020, 3:40pm
27
Will this work?
contains
"product": {
"query": "*IPS*"
is
"dst": {
"query": "10.10.10.10"
Serge
September 1, 2020, 6:42am
28
Hi folks.
2 Likes
Hi there,
I know some time has now past, but I believe the issue with using the visual graph to define the query is that it sets the return size to 0 so there is no result set to iterate over. However there is no option to change this from the graph page.
If you define the query with the visual graph and then switch to the the extraction query you can alter the “size”: 0 to “size”: 1000 and you should see the result set come back in the “hits”.
It is annoying this seems to be the default behavior when using the visual method.
You can see exactly what is being stored when using the visual graph by using ```
1 Like
I know even more time has passed. But I just created an account to thank you for this post that ended hours of me pulling my hair out in attempts to solving this puzzle. Thank you so much.
2 Likes
chidex
November 10, 2021, 1:50pm
31
I have struggled with this alert thing with moustache for months with no clear examples in documentation to guide but stumbling into this saved the months. Thanks a lot stmx38
1 Like
pitch
December 4, 2021, 9:06pm
32
this information is absolutely missing in the opensearch documentation
earlier when getting in touch with opensource projects it was mostly RTFM@stmx38
1 Like
divyank
December 7, 2021, 12:06pm
33
Hi All and @stmx38 ,
Thanks for sharing your observations here.
I am able to get values by using the below moustache, but math operations are not performed on it.I don’t have null values in trigger condition.
moustache-
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period {{ctx.periodStart}} - {{ctx.periodEnd}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Total logs: {{ctx.track_total_hits}}
-Total Logs: {{ctx.results.0.hits.total.value}}
-Undelivered Logs:{{ctx.results.0.aggregations.when.sum_other_doc_count}}
-Hi : {{ctx.results.0.hits.total.value}} - {{ctx.results.0.aggregations.when.sum_other_doc_count}}
-Delivered Logs: {{ctx.results.0.hits.total.value}}/{{ctx.results.0.aggregations.when.sum_other_doc_count}}
output-
- Trigger: Undelivered Message Alert
- Severity: 1
- Period 2021-12-07T11:40:43Z - 2021-12-07T11:41:43Z
- Period start: 2021-12-07T11:40:43Z
- Period end: 2021-12-07T11:41:43Z
- Total logs:
-Total Logs: 277502
-Undelivered Logs:48584
-Hi : 277502 - 48584
-Delivered Logs: 277502/48584
Snap-
stmx38
December 7, 2021, 5:31pm
34
Hello @divyank , what do you mean about math operations?
-Delivered Logs: 277502/48584
Should be like this?-Delivered Logs: 5.7
277502 / 48584 ~ 5.7
divyank
December 7, 2021, 5:37pm
35
yes @stmx38 , like addition,subtraction, etc
stmx38
December 7, 2021, 6:01pm
36
Maybe something like this?{{ ctx.results.0.hits.total.value / ctx.results.0.aggregations.when.sum_other_doc_count }}
divyank
December 7, 2021, 6:41pm
37
I checked wit it but it’s showing blank values, may be math operations is not possible in moustache’s/
- Hi: {{ ctx.results.0.hits.total.value / ctx.results.0.aggregations.when.sum_other_doc_count }}
Output-
- Hi:
@lehner.angelica Hi, I am new to ELK and using opendistro Kibana and trying to sent email alerts using custom webhooks as destination. Could you please help me in configuring a custom webhook using an SMTP server ?
Much appreciated
Hi Angelica,
Good day to you… Im kinda stuck on an issue you once faced during creating alerts in opendistro kibana.
basically, im trying to get the message to come along with the alert when its triggered
{{#ctx.results.0.hits.hits}}
Username: {{_source.user}}
{{/ctx.results.0.hits.hits}}
tried this and did not work…Any advise how you fixed it ? Im using the extraction query to create the alert
@shaimoh share ur query and response which you used to extract bcz recently i did it if i know i will help you in this…
