[FEATURE] Add bucket level monitors metric values to the "ctx" object for notifications

[divanshurox]

Is your feature request related to a problem?
Currently, users can create bucket level monitors and raise alert on a field when it's value is greater than threshold set in the trigger condition. I had a use case in which I would like to mention the observed value and the threshold value in the alert body I send to the user, which doesn't seem possible right now.

What solution would you like?
The bucket params must be added to the ctx object, whose access we have in the alert body so that we can print the observed and threshold value in the body. It would allow the user to better define the notification message and why the alert was raised.

Do you have any additional context?

1. I had created an index "test-1" with the following documents:

          "name": "A",
          "value": 90

          "name": "B",
          "value": 80

          "name": "C",
          "value": 10

2. Then I had created a bucket level monitor, with the following configuration:

Per bucket monitor
Index: test-1
Metrics: MAX OF value
Group by: name

Trigger:
Trigger condition: Max_value IS ABOVE 50
Action: webhook:

3. I had confiured the monitor with the following alert body, with the action as Custom Webhook:

{
"text":"
{{ctx}}
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

  - Trigger: {{ctx.trigger.name}}

  - Severity: {{ctx.trigger.severity}}

  - Period start: {{ctx.periodStart}}

  - Period end: {{ctx.periodEnd}}

  - New Alerts:
  {{#ctx.newAlerts}}
    * {{id}} : {{bucket_keys}}
  {{/ctx.newAlerts}}
}

4. However, in the message I get:

, results=[, hits=, max_score=null}, took=2, timed_out=false, aggregations=, composite_agg=}}], periodStart=2023-10-18T07:31:59.293Z, periodEnd=2023-10-18T07:32:59.293Z, error=null, trigger=], parentBucketPath=composite_agg}, dedupedAlerts=[], newAlerts=[{acknowledged_time=null, id=1SizQYsBYO_iF9pwuTAz, version=-1, end_time=null, error_message=null, execution_id=OSeuQYsBYO_iF9pwOnHg_2023-10-18T07:32:59.292524_1b6f27c1-3a3f-4b44-9d2b-0befee5fa485, workflow_id=, workflow_name=, associated_alert_ids=[], last_notification_time=1697614379297, severity=1, start_time=1697614379297, state=ACTIVE, bucket_keys=E, parent_bucket_path=composite_agg, finding_ids=, related_doc_ids=}], completedAlerts=[]}

Monitor Bucket_monitor_test just entered alert status. Please investigate the issue.

Trigger: trigger-1
Severity: 1
Period start: 2023-10-18T07:31:59.293Z
Period end: 2023-10-18T07:32:59.293Z
New Alerts:
1SizQYsBYO_iF9pwuTAz : E

Analysis: So I am able to get the name from the bucket keys, but I would like to have the observed and threshold value in the message body, so that I have a better understanding why I have received the alert.

[praveensameneni]

Thank you for creating the request. We recently introduced adding sample documents in the ctx object
#1450

{{#ctx.alerts}}
    Sample documents:
    {{#sample_documents}}
        Index: {{_index}}
        Document ID: {{_id}}
       
        Order date: {{_source.order_date}}
        Order ID: {{_source.order_id}}
        Clothing category: {{_source.category}}
        -----------------
    {{/sample_documents}}
{{/ctx.alerts}}

Let us know if the above supports your use case