Including the query in an alert notification

Plugins Alerting
1

Hi all,

I’ve got some alerts going to a Slack channel and am looking to enhance them a bit more. I’ve got links to individual errors (the links go to that specific error in Kibana on an EFK instance). However, I’d like to add a link to the time-boxed query itself. That is…a link to the query that resulted in the alert triggering that particular time. There are lots of usable goodies in the alert ctx structure, but I haven’t found anything yet that looks like a variable with the query itself in it. Has anyone gone down this path? Any pointers I could follow?

Many thanks,
–Erik

2

I too am looking for the same. One option that I am using as a workaround is to insert the URL of the dashboard in the alert message.

3

Yes, I’ve done something similar. It’s a bit of a Franken-URL, which does resolve correctly. However, the trick is that the query portion of the link URL has to be manually updated if we tweak the query that forms the basis of the alert. Some way of exposing the query terms (or the query in all its glory, actually) via the ctx variables would be fantastic. I believe that I saw a similar request in the project’s GitHub Issues, but I’m not sure of the status (haven’t revisited the Issues lately). Hopefully something can come of the discussion, as it would be wonderful feature. :slight_smile:

4

Hey folks - I found a cleaner solution for this…

  1. Create a Saved Query using the conditions for your alert.

  2. Generate a Permalink as a Saved Object for your query. This will ensure that your Alert message always reference the latest version of the saved query, which is better than hard-coding the current version of the query into the URL which will later be outdated. image

  3. This will provide you a shorter URL that always references the saved query, it will look like this: https://[server]/app/kibana?security_tenant=global#/discover/a436b3e0-3f64-11eb-ac54-97d46bd32999?_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-24h%2Cto%3Anow))

  4. Simply swap out the time selector with the variables from the monitor to reflect this instead: https://[server]/app/kibana?security_tenant=global#/discover/a436b3e0-3f64-11eb-ac54-97d46bd32999?_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3A'{{ctx.periodStart}}'%2Cto%3A'{{ctx.periodEnd}}'))

The result is a much shorter URL that always references the latest version of the query as well as the timeframe that generated the alert.

Hope this helps.