Unable to access Documents Fields (Per Document Monitor Alerts)

Plugins Alerting
1

Hello, I am using the latest version of OpenSearch and OpenSearch Dashboards. My goal is to check if each document indexed in a specified index pattern matches a specific field, and if it does, send an alert to a custom webhook.

I configured the monitor as follows:

Screenshot_1
Screenshot_11818×609 43.4 KB

Screenshot_2
Screenshot_21838×569 18.4 KB

Screenshot_3
Screenshot_31830×538 37 KB

Screenshot_4
Screenshot_41744×756 39.4 KB

My query is:
{
“description”: “”,
“queries”: [
{
“id”: “4a4d4a18-8776-4564-a43f-dcc699d29c04”,
“name”: “Detect_alert”,
“fields”: ,
“query”: “EventType:"alert"”,
“tags”: ,
“query_field_names”:
}
]
}

My trigger condition is:
query[name=Detect_alert]

And as an action I sent an alert to a custom webhook with the message:
{
“test” : “test”
}.

All good so far. I am receiving the POST requests correctly on my custom webhook for every document that meets the conditions. However, I would like to include some data from each document, such as the fields [“Message”, “DeviceId”, etc.], in the message sent to the webhook. Observing the Trigger Info results, I noticed that the results only contain the document’s id along with its index.

“results”: [
{
“4a4d4a18-8776-4564-a43f-dcc699d29c04”: [
“Bte72pAB5TTZtaAgM7Vj|topic-wifi”,
“Bde72pAB5TTZtaAgM7Vh|topic-wifi”,
“BNe72pAB5TTZtaAgM7Vf|topic-wifi”,
“A9e72pAB5TTZtaAgM7Ve|topic-wifi”,
“Ade62pAB5TTZtaAgvbWI|topic-wifi”,
“ANe62pAB5TTZtaAgvbWI|topic-wifi”,
“_9e62pAB5TTZtaAgvbSI|topic-wifi”,
“_te62pAB5TTZtaAgvbSI|topic-wifi”,
“_de62pAB5TTZtaAgvbSD|topic-wifi”,
“-9e62pAB5TTZtaAgRrTf|topic-wifi”,
“-te62pAB5TTZtaAgRrTe|topic-wifi”,
“-Ne62pAB5TTZtaAgRrTc|topic-wifi”,
“-de62pAB5TTZtaAgRrTc|topic-wifi”,…]
}
]

Is there a way to include the document information and use their fields to send additional data to my webhook?

For example, send a message like:
{{#ctx.results}}
{
"Alert on ":{{$query_id.$document_that_trieggered_the_alert.DeviceId}}
“Message”:{{$query_id.$document_that_trieggered_the_alert.Message}}
}
{{/ctx.results}}

I apologize if this issue has already been addressed. If so, could you please direct me to the previous solutions?

Thank you!

2

You are close with your message template.

The document can be extracted using the mustache array syntax.

{{#ctx.alerts}}
		{{#sample_documents}}
        {{/sample_documents}}
{{/ctx.alerts}}

However, there is an issue: mustache indexes don’t work.

{{^-last}}, {{/-last}}

If this worked, it would say only to put a comma if this is not the last iteration.

Because your alert will have multiple documents, you need a comma between them. Which means the results are not valid for JSON. I have my webhook sent as text/html and then run regular expression at the other end to remove any stray commas to make the string valid JSON

{
	"alerts": {
		"triggerId": "{{ctx.trigger.id}}",
   		"triggerName": "{{ctx.trigger. name}}", 
   		"lastUpdate": "{{ctx.last_update_time}}", 
   		"periodStart": "{{ctx.periodStart}}", 
   		"periodEnd": "{{ctx.periodEnd}}", 
        "documents": [
        {{#ctx.alerts}}
		    {{#sample_documents}}
		        {
			       "index": "{{_index}}",
			       "documentId": "{{_id}}",
			       "timestamp": "{{_source.@timestamp}}",
			       "event": {
				         "nodeId": "{{_source.event.nodeId}}",
				         "filespace": "{{_source.event.filespace}}",
				         "filespaceUuid": "{{_source.event.filespaceUuid}}"
			         }
		         },
		   {{/sample_documents}}
		{{/ctx.alerts}}
	]}
}
1 Like