Empty log message in alert

In some cases notifications don’t contain log error body (timestamp, error text, etc.)

 {
"query": {
    "bool": {
        "filter": [
            {
                "bool": {
                    "filter": [
                        {
                            "multi_match": {
                                "query": "integration",
                                "fields": [],
                                "type": "phrase",
                                "operator": "OR",
                                "slop": 0,
                                "prefix_length": 0,
                                "max_expansions": 50,
                                "lenient": true,
                                "zero_terms_query": "NONE",
                                "auto_generate_synonyms_phrase_query": true,
                                "fuzzy_transpositions": true,
                                "boost": 1
                            }
                        },
                        {
                            "multi_match": {
                                "query": "ERROR",
                                "fields": [],
                                "type": "phrase",
                                "operator": "OR",
                                "slop": 0,
                                "prefix_length": 0,
                                "max_expansions": 50,
                                "lenient": true,
                                "zero_terms_query": "NONE",
                                "auto_generate_synonyms_phrase_query": true,
                                "fuzzy_transpositions": true,
                                "boost": 1
                            }
                        }
                    ],
                    "adjust_pure_negative": true,
                    "boost": 1
                }
            },
            {
                "range": {
                    "@timestamp": {
                        "from": "now-5m",
                        "to": null,
                        "include_lower": true,
                        "include_upper": true,
                        "boost": 1
                    }
                }
            }
        ],
        "adjust_pure_negative": true,
        "boost": 1
    }
},
"sort": [
    {
        "@timestamp": {
            "order": "desc"
        }
    }
]

}

and trigger

{
"title": "{{#ctx.results.0.hits.hits}}{{ctx.results.0.hits.hits.}}
<FONT size=3>LOG FILE: {{_source.log.file.path}}<br>
<FONT size=3>TIMESTAMP: {{_source.javalog.timestamp}}<br>
<FONT size=3>CLASS: {{_source.javalog.class}}<br><pre>
<FONT size=3>MESSAGE: {{_source.javalog.message}}</pre><br><br>{{/ctx.results.0.hits.hits}}",

"text": "Logged error(s) in  environment"

}

Expected result:

LOG FILE: /server.log
TIMESTAMP: 2020-02-25 21:35:12,504
CLASS: com.integrations.restapi.OrderService

MESSAGE: com.integrations.restapi.

Actual result:

LOG FILE: /server.log
TIMESTAMP:
CLASS:

MESSAGE:

Hi @Serge,

My mustache skills are rusty, but do you need the {{ctx.results.0.hits.hits.}} next to the # beginning the for loop in title? I believe you can just refer to the current item. Just wondering if that’s screwing up the template parsing.

Otherwise can you check a time when this happened and look at the document(s) that triggered this and paste the document source (anonymized) so I can see the structure.

Thanks

I`ve found.
Mistake in grok pattern. The “$” sign in message not parsed
Please close this topic