Alert should message not only value trigged but also query resulting dataset with fields info

Please help me I need to message after trigger is done
not only value like this
return ctx.results[0].aggregations.when.value == null ? false : ctx.results[0].aggregations.when.value > 1000

but also contents of fields of query resulting dataset from monitor
from which this trigger made alert

how to do this how to show which response was

when I use discover with the same query i see
the result of the dataset of strings that caused this trigger to act

but how to do this programmatically to show all resulting datasets with fields in monitor
as we see for example in SQL query result

Hey @anatoli,

Correct me if I’ve misunderstood but it looks like you want both the Trigger condition source and the query results the Trigger evaluated on in your Alert message?

The query results will be available as ctx.results[0] in the message mustache template. As for the Trigger condition source it’s supposed to be something like ctx.monitor.inputs.search.query but is currently not supported. This is a discrepancy captured in this GitHub issue and we do plan on supporting it.

you will have the results in the context object. Trigger condition needs to be boolean. should it perform the action or not.

once in action you can use mustache templates to show what ever you need from context object. below link has some examples