Alerting Query not working in Elasticsearch kabana open distro

I am unable to get the result set for the wazuh logs comming in in my alerting queries.

I am just tryinng to see if logs are there alert on the eventName using the Mustache query.

Alerts goes to slack channel.

this is my Monitor Extraction Query Response preview:
{
“_shards”: {
“total”: 366,
“failed”: 0,
“successful”: 366,
“skipped”: 0
},
“hits”: {
“hits”: ,
“total”: {
“value”: 10000,
“relation”: “gte”
},
“max_score”: null
},
“took”: 103,
“timed_out”: false

This is my Trigger condition:
ctx.results[0].hits.total.value > 0

In the screenshot, I have the data which I am alerting on.

Hi @schauhan,

The inner hits object is an array so you would have to specify the index if you wanted to access a particular search hit:

{{ctx.results.0.hits.hits.0.data.aws.eventName}}

Or if you wanted to iterate through all of your hits and get that field for each one you could do:

{{#ctx.results.0.hits.hits}}
  {{_source.data.aws.eventName}}
{{/ctx.results.0.hits.hits}}

Assuming you’re looking for those fields under the _source of the results, in which case, you’d want to add that in either case.

Thanks, @qreshi will try this out and let you know if I face any issue.