Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add filter_path option to Elasticsearch query alert rules #124749

Closed
A-Hall opened this issue Feb 4, 2022 · 1 comment · Fixed by #142223
Closed

Add filter_path option to Elasticsearch query alert rules #124749

A-Hall opened this issue Feb 4, 2022 · 1 comment · Fixed by #142223
Assignees
@ymao1
Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@A-Hall
Copy link
Member

A-Hall commented Feb 4, 2022
edited
Loading

Describe the feature:

Currently there is no way to manipulate the response body in an alert action in Kibana alerts, for example to slim down {{context.hits}} to only fields relevant to the alert. That leaves us with formatting the actual hits array sent back to Kibana from ES as the only option. You can reduce the fields included in the _source by including "_source": ["myRelevantField"] in the alert query, but that still returns the metadata fields. The only way to remove the metadata fields and other fields is with filter_path as a URL parameter, which currently isn't' available as an option with queries generated with Kibana alerts. Something like this would allow you to strip down the response body so it's not more verbose than it needs to be.

image

Edited: Assumed that using "_source": ["myRelevantField"] or "fields": [ "node_stats.process.cpu.percent"] would reduce the fields returned in the hits array, but apparently Kibana strips those from the query (maybe due to some verification that they're not passing?).
@botelastic botelastic bot added the needs-team Issues missing a team label label Feb 4, 2022
@mshustov mshustov added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Feb 9, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Feb 9, 2022
@mikecote mikecote moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Feb 17, 2022
@ymao1 ymao1 self-assigned this Sep 29, 2022
@ymao1 ymao1 moved this from Todo to In Progress in AppEx: ResponseOps - Execution & Connectors Sep 29, 2022
@ymao1 ymao1 mentioned this issue Sep 29, 2022
Merged
2 tasks
@ymao1 ymao1 moved this from In Progress to In Review in AppEx: ResponseOps - Execution & Connectors Sep 29, 2022
Repository owner moved this from In Review to Done in AppEx: ResponseOps - Execution & Connectors Oct 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Response Ops] Allow _source field for ES DSL query rules ymao1/kibana
4 participants
@mshustov @ymao1 @elasticmachine @A-Hall