Include scripted field in Kibana monitor extraction query

beam022 · March 4, 2020, 1:34pm

Hi,
I’m defining a monitor for Kibana alerting and I’d like to include the service scripted field (which I’ve prepared) in the _source (or any other accessible field). I’d like to use that information in the Slack notification message, by doing something like {{_source.service}}. Currently, I don’t see a way to do it.

Defined extraction query

{
    "query": {
        "bool": {
            "must": [
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-30m",
                            "to": null,
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "_source": {
        "includes": [
            "country",
            "@timestamp",
            "timestamp",
            "service",
            "environment",
            "function_name",
            "level"
        ],
        "excludes": []
    }
}

Hits from extraction query response

"hits": {
        "hits": [
            {
                "_index": "some-index",
                "_type": "some-information",
                "_source": {
                    "country": "pl",
                    "environment": "prod",
                    "@timestamp": "2020-03-04T12:34:39.581Z",
                    "level": "ERROR",
                    "function_name": "dev.opendistrocommunity.discuss.problem",
                    "timestamp": "2020-03-04 12:34:39,581"
                },
                "_id": "3530...38",
                "_score": 10.790063
            }
        ],
        "total": 1,
        "max_score": 10.790063
    }

JSON information about log

{
  "_index": "...",
  "_type": "...",
  "_id": "3530...38",
  "_version": 1,
  "_score": null,
  "_source": {
    "correlation_id": "...",
    "request_id": "...",
    "message": "Internal Server Error",
    "timestamp": "2020-03-04 10:43:26,751",
    "level": "ERROR",
    "function_name": "dev.opendistrocommunity.discuss.problem",
    "thread": "...",
    "environment": "prod",
    "country": "pl",
    "@id": "3530...38",
    "@timestamp": "2020-03-04T10:43:26.751Z",
    "@message": "...",
    "@owner": "...",
    "@log_group": "...",
    "@log_stream": "..."
  },
  "fields": {
    "service": [
      "_____INFORMATION-I-NEED-IS-HERE______"
    ],
    "@timestamp": [
      "2020-03-04T10:43:26.751Z"
    ]
  },
  "highlight": {
    "level": [
      "@kibana-highlighted-field@ERROR@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1583318606751
  ]
}

I have defined Monitor by Define using extraction query and general index *****, for which the mentioned scripted field is defined.

I’d appreciate some help.

dbbaughe · March 7, 2020, 1:09am

Hi @beam022,

The response of the query should be available on {{ctx.results.0}}.

beam022 · March 7, 2020, 11:06am

Thanks for replying and you’re right, but it doesn’t bring me closer to a solution. I know how to access results - the problem is in putting a scripted field value in these results.

beam022 · March 13, 2020, 11:13am

So it’s rather about what I have to put in extraction query to have that field available for further processing.

jnerm · February 4, 2021, 6:11am

Hey @beam022 did you ever work it out?
All I want to do is truncate a field in the alert.
Can’t do it in the dumb Mustache, so looking to do it as a projection on the query

beam022 · February 4, 2021, 10:54am

@jnerm No, sorry, haven’t figured it out and haven’t received much help on this. If you do, please let me know how.

Mr_Hedgehog · April 15, 2021, 4:05pm

Hi there - I think I am having a similar issue to yourself. Did you manage to get anywhere with this? Thanks.

beam022 · April 16, 2021, 4:21pm

@Mr_Hedgehog No, sorry. I have given up on this.

qreshi · July 7, 2021, 5:44pm

If I understand the question correctly, if the service field is just a constant, you can define it using script fields as follows:

GET example_query/_search
{
  "query": {
    "match_all": {}
  },
  "_source": {
    "includes": [
      "field1",
      "field2",
      "field3"
    ],
    "excludes": []
  },
  "script_fields": {
    "service": {
      "script": {
        "lang": "painless",
        "source": "'my_service_name'"
      }
    }
  }
}

You also can perform String concatenation and have access to the doc contents in the script in case you want the service name to be something more dynamic. For example:

"script_fields": {
    "service": {
      "script": {
        "lang": "painless",
        "source": "'my_service_name' + '_' + doc['environment'].value"
      }
    }
  }

Then you can access these fields similar to how would access _source while iterating over the search hits. For example:

{{#ctx.results.0.hits.hits}}
  {{_source.country}}
  {{fields.service.0}}
{{/ctx.results.0.hits.hits}}

When I tested out the scripted field, the response was an array, hence the 0 index in the example above.

Hope that helps.

Topic		Replies	Views
Kibana email alert - extracting field results Alerting troubleshoot	42	10870	November 29, 2022
Kibana Alerting Alerting	7	6497	January 5, 2021
How to include message fields in the Alert Action Message for Per query monitor Alerting discuss	6	311	April 9, 2024
How to send alert containing extraction one field from message JSON Alerting	1	523	January 5, 2022
Bucket level monitor include document field like sample_documents for dedupedAlerts and completedAlerts Alerting	2	46	April 12, 2024

Include scripted field in Kibana monitor extraction query

Related Topics