Alerts and Aggregation name

Hi All!
I have created a few new alerts and using metricbeat as a source.
I used the following parameters:
Monitor type
Per bucket monitor
Schedule
Every 3 minutes
I used the host.id or the host.name as a group by parameter. (I tried various combination)

The Alert successfully catch the events, however -even though I have multiple hosts sending the data- the host.id/host.name/host.hostname coloumn is always empty as you can see on the attached screenshots.

If I check this in the alerting API (GET _plugins/_alerting/monitors/alerts) the API shows properly the bucket name with the hostname:

        "bucket" : {
          "doc_count" : 3092,
          "avg_system_cpu_system_norm_pct" : {
            "value" : 0.4892820512820513
          },
          "key" : {
            "host.hostname" : "kube.ucs.local"
          }
        }
      }
    },

Or with multiple group by parameters:

   "bucket" : {
          "doc_count" : 518,
          "avg_system_cpu_system_norm_pct" : {
            "value" : 0.3834153846153846
          },
          "key" : {
            "host.hostname" : "WIN-CESRKKF4EO5",
            "host.id" : "d7068737-5756-445e-a12d-333eb81a7f8f"
          }
        }
      }
    },```

Am I doing something wrong, or is it a bug in the UI?

Hi @szultan,

From the attached image and sample responses, it looks like there may be a field called host.name and a field called host.hostname (host.hostname being the desired field to alert on in this case). Judging from the column name in the attached image, the table seems to be trying to display the values associated with the host.name field, which isn’t present in the provided API responses. When defining the group by parameters in the Query section of the Create Monitor UI, do you see both host.name and host.hostname as options in the dropdown menu?

1 Like

Hi @AWSHurneyt!

The host.hostname and host.name is present in every document in that index.
When I pull the alert over API I can even see it in the API response. (The attached example is from an alert where only the host.hostname was added as a group by parameter for the bucket)
So that was the reason I thought that this is a bug on the UI.

Currently, I don’t have access to the cluster but I will check it when I can and confirm if I can find them on the drop.down meniu. (But top of my head it was listed there)

Hi @szultan,

Sounds good! My thoughts are if you select the host.hostname option from the dropdown menu, instead of host.name, the Alerts table should display a column that populates with data from the host.hostname.