Hello,
I would like to send alert and don’t want to put all results in the slack message, but extract only one field. It is feasible? example response:
{
“took”: 430,
“timed_out”: false,
“_shards”: {
“total”: 5,
“successful”: 5,
“skipped”: 0,
“failed”: 0
},
“hits”: {
“total”: 1,
“max_score”: null,
“hits”: [
{
“_index”: “xxx”,
“_type”: “_doc”,
“_id”: “shardId-000000000000:49624568899749463283599055438963040807383683572814577666-0-0”,
“_version”: 1,
“_score”: null,
“_source”: {
“id”: “xxxx”,
“timestamp”: 1641389528733,
“message”: “{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"xxxxxxx…xx…}”
I would like to extract _source.message.principalId is it possible?
I was trying:
“message_template” : {
“source” : “User: {{ctx.results.0.hits.hits._source.message.principalId}} logged to Master account. - Period start: {{ctx.periodStart}} - Period end: {{ctx.periodEnd}}”,
“lang” : “mustache”
},
but no luck.
Thanks for feedback!