Message for all hits

Hi folks,
I have a custom webhook for Google Chat. It works good. But I don’t understand how to make sending alerts to every hits. For example, I have:
ctx.results[0].hits.total.value > 0

{"cards":[{"header":{"title":"ELK Alert","subtitle":"{{ctx.monitor.name}}"},"sections":[{"widgets":[{"textParagraph":{"text":"There was {{ctx.results.0.hits.total.value}} switches. 
{{ctx.results.0.hits.hits.0._source.timestamp}} {{ctx.results.0.hits.hits.0._source.logsource}}  {{ctx.results.0.hits.hits.0._source.dst_ip}}{{ctx.results.0.hits.hits.0._source.message}}
"}}]}]}]}

But only the first event is sent. How to make an alert not only for the first [0] hit?

Hi @Aleksei,

We have a github issue for this already: Alerting per documents/events · Issue #13 · opendistro-for-elasticsearch/alerting · GitHub
Please feel free to :+1: it.

Thanks

1 Like

Thank you! It works.

@lucaswin-amzn @Aleksei
I have not been able to test it due to infrastructure is not in place.
I am testing it on my local machine.
My question is, say i have 20 servers and i want to trigger an alert if “error count goes above 30” and 15 servers out of 20 met the alert criterion.
Will it trigger 1 or 15 alerts?

Hi @asikarwar,

By servers here I assume you mean elasticsearch clusters. If you have this monitor on 20 clusters and 15 clusters meet the alert criteria then yes 15 alerts will be created.

If by servers you mean elasticsearch nodes, then only 1 alert will be created.

Hi @lucaswin-amzn
Sorry for an ambiguous statement.

By “20 servers” i meant 20 Windows servers or machines.

I have Winlogbeat running as a Windows service on 20 windows servers or Machines which ships event log data to Elasticsearch every minute winlogbeat collects and ships the log back to my Elasticsearch database. With it also comes the name of the machine(server) where winlogbeat was running to which i refer the term as Server or you can call them Host, winlog,agent.Host.Name etc.

Below i collected this using Kibana visualization where you can see this how we get the data back

image

Following servers met the alert criterion
Windows_Server#1
Windows_Server#3
Windows_Server#4

Therefore will this trigger separate alert for Windows_Server#1, Windows_Server#3, Windows_Server#4 or just one alert?

Thanks

1 Like