Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Opensearch Alerting: Per Document Monitor not including document field(s) in alert message #1281

Open
ashishkumar256 opened this issue Oct 18, 2023 · 1 comment
Open

[BUG] Opensearch Alerting: Per Document Monitor not including document field(s) in alert message #1281

ashishkumar256 opened this issue Oct 18, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@ashishkumar256
Copy link

ashishkumar256 commented Oct 18, 2023
edited
Loading

I am newbie to Opensearch. Apologies in advance in case wrong terminologies are used. We recently started to use OpenSearch as logging database.

We are trying to setup Alerting in Opensearch. As we are using Opensearch for storing application logs, therefore we more interested to go ahead with Per document monitor in order to apply more complex query based on business needs.

We have configured Per document monitor with below extraction query snippet -

{
    "description": "",
    "queries": [
        {
            "id": "log-level",
            "name": "log-level",
            "query": "status:\"error\"",
            "tags": []
        }
    ]
}

Its working well. Now the requirement is to pipe app_log.message in alerts message (to slack) -

"_source": {
   "app_log": {
       "message": "[No Bank Account id found with XX-YY-ZZ]",
       "caller": "/app/internal/usecase/implementation/xyz.go:1801",
       "level": "error"
   },
   "status": "error"
}

We tried below snippet but no luck worked-

{{#ctx.results.0.hits.hits}} 
Message: {{_source.app_log.message}}
{{/ctx.results.0.hits.hits}}

We already tried with couple of blogs available on internet -

  1. https://forum.opensearch.org/t/how-do-i-include-message-fields-in-the-alert-action-message-for-per-document-monitor/14428
  2. https://forum.opensearch.org/t/how-do-i-include-message-fields-in-the-alert-action-message/8167/12
  3. [BUG] Problem with getting ctx.results #479

Apart from that, there is one more issue want to highlight is Per document monitor does work with nested fields ("query": "app_log.level:\"error\"") -

{
    "description": "",
    "queries": [
        {
            "id": "log-level-error",
            "name": "log-level-error",
            "query": "app_log.level:\"error\"",
            "tags": []
        }
    ]
}

Let me know if more information is required.
@ashishkumar256 ashishkumar256 added bug Something isn't working untriaged labels Oct 18, 2023
@dblock dblock transferred this issue from opensearch-project/OpenSearch Oct 24, 2023
@engechas
Copy link
Collaborator

Hi - we added sample docs to the ctx variable in #1450. Could you check if this meets your use case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@praveensameneni @engechas @ashishkumar256