mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
Add summary action variables (#150221)
Resolves: #150209 This PR intends to add the available `Action variables` of the new `Summary of alerts` actions. Note: Alert-as-data exposes more data. Please let me know if any needs to be added/removed. A better list of available fields: https://github.com/elastic/kibana/blob/main/x-pack/plugins/rule_registry/README.md --------- Co-authored-by: lcawl <lcawley@elastic.co>
This commit is contained in:
Ersin Erdal
GitHub
parent
4f25fa7abf
commit
9bbb1f759a
1 changed files with 96 additions and 20 deletions
|
|
@ -124,29 +124,105 @@ You can attach more than one action. Clicking the *Add action* button will promp
|
|||
[float]
|
||||
[[defining-rules-actions-variables]]
|
||||
===== Action variables
|
||||
Using the https://mustache.github.io/[Mustache] template syntax `{{variable name}}`, you can pass rule values at the time a condition is detected to an action. You can access the list of available variables using the "add rule variable" button. Although available variables differ by rule type, all rule types pass the following variables:
|
||||
|
||||
`rule.id`:: The ID of the rule.
|
||||
`rule.name`:: The name of the rule.
|
||||
`rule.spaceId`:: The ID of the space for the rule.
|
||||
`rule.tags`:: The list of tags applied to the rule.
|
||||
`date`:: The date the rule scheduled the action, in ISO format.
|
||||
`alert.id`:: The ID of the alert that scheduled the action.
|
||||
`alert.actionGroup`:: The ID of the action group of the alert that scheduled the action.
|
||||
`alert.actionSubgroup`:: The action subgroup of the alert that scheduled the action.
|
||||
`alert.actionGroupName`:: The name of the action group of the alert that scheduled the action.
|
||||
`alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly.
|
||||
|
||||
`kibanaBaseUrl`:: The configured <<server-publicBaseUrl, `server.publicBaseUrl`>>. If not configured, this will be empty.
|
||||
Using the https://mustache.github.io/[Mustache] template syntax `{{variable name}}`, you can pass rule values to an action at the time a condition is detected. You can access the list of available variables using the "add rule variable" button:
|
||||
|
||||
[role="screenshot"]
|
||||
image::images/rule-flyout-action-variables.png[Passing rule values to an action]
|
||||
|
||||
All rule types pass the following variables:
|
||||
|
||||
`date`:: The date the rule scheduled the action, in ISO format.
|
||||
`kibanaBaseUrl`:: The configured <<server-publicBaseUrl,`server.publicBaseUrl`>>. If not configured, this will be empty.
|
||||
`rule.id`:: The ID of the rule.
|
||||
`rule.name`:: The name of the rule.
|
||||
`rule.spaceId`:: The ID of the space for the rule.
|
||||
`rule.tags`:: The list of tags applied to the rule.
|
||||
|
||||
There is also a set of action variables specific to the action frequency:
|
||||
|
||||
- <<alert-action-variables,For each alert>>
|
||||
- <<alert-summary-action-variables,Summary of alerts>>
|
||||
|
||||
[float]
|
||||
[[alert-action-variables]]
|
||||
===== Action variables for each alert
|
||||
|
||||
Although available variables differ by rule type, when the action frequency is
|
||||
**For each alert**, all rule types pass the following variables:
|
||||
|
||||
`alert.actionGroup`:: The ID of the action group of the alert that scheduled the action.
|
||||
`alert.actionGroupName`:: The name of the action group of the alert that scheduled the action.
|
||||
`alert.actionSubgroup`:: The action subgroup of the alert that scheduled the action.
|
||||
`alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly.
|
||||
`alert.id`:: The ID of the alert that scheduled the action.
|
||||
|
||||
[float]
|
||||
[role="child_attributes"]
|
||||
[[alert-summary-action-variables]]
|
||||
===== Action variables for summary of alerts
|
||||
|
||||
NOTE: This type of action frequency is not available for all rule types.
|
||||
|
||||
When the action frequency is **Summary of alerts**, rules pass the following
|
||||
variables:
|
||||
|
||||
`alerts.all.count`:: The count of all alerts.
|
||||
|
||||
`alerts.all.data`::
|
||||
An array of objects for all alerts. The following object properties are examples; it is not a comprehensive list.
|
||||
+
|
||||
.Properties of the alerts.all.data objects
|
||||
[%collapsible%open]
|
||||
=====
|
||||
//# tag::alerts-data[]
|
||||
`kibana.alert.end`:: Datetime stamp of alert end. preview:[]
|
||||
`kibana.alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly. preview:[]
|
||||
`kibana.alert.instance.id`:: ID of the source that generates the alert. preview:[]
|
||||
`kibana.alert.reason`:: The reason of the alert (generated with the rule conditions). preview:[]
|
||||
`kibana.alert.start`:: Datetime stamp of alert start. preview:[]
|
||||
`kibana.alert.status`:: Alert status (for example, active or OK). preview:[]
|
||||
//# end::alerts-data[]
|
||||
=====
|
||||
|
||||
`alerts.new.count`:: The count of new alerts.
|
||||
|
||||
`alerts.new.data`::
|
||||
An array of objects for new alerts. The following object properties are examples; it is not a comprehensive list.
|
||||
+
|
||||
.Properties of the alerts.new.data objects
|
||||
[%collapsible]
|
||||
=====
|
||||
include::create-and-manage-rules.asciidoc[tag=alerts-data]
|
||||
=====
|
||||
|
||||
`alerts.ongoing.count`:: The count of ongoing alerts.
|
||||
|
||||
`alerts.ongoing.data`::
|
||||
An array of objects for ongoing alerts. The following object properties are examples; it is not a comprehensive list.
|
||||
+
|
||||
.Properties of the alerts.ongoing.data objects
|
||||
[%collapsible]
|
||||
=====
|
||||
include::create-and-manage-rules.asciidoc[tag=alerts-data]
|
||||
=====
|
||||
|
||||
`alerts.recovered.count`:: The count of recovered alerts.
|
||||
|
||||
`alerts.recovered.data`::
|
||||
An array of objects for recovered alerts. The following object properties are examples; it is not a comprehensive list.
|
||||
+
|
||||
.Properties of the alerts.recovered.data objects
|
||||
[%collapsible]
|
||||
=====
|
||||
include::create-and-manage-rules.asciidoc[tag=alerts-data]
|
||||
=====
|
||||
|
||||
Some cases exist where the variable values will be "escaped", when used in a context where escaping is needed:
|
||||
|
||||
- For the <<email-action-type, Email>> connector, the `message` action configuration property escapes any characters that would be interpreted as Markdown.
|
||||
- For the <<slack-action-type, Slack>> connector, the `message` action configuration property escapes any characters that would be interpreted as Slack Markdown.
|
||||
- For the <<webhook-action-type, Webhook>> connector, the `body` action configuration property escapes any characters that are invalid in JSON string values.
|
||||
- For the <<email-action-type,Email>> connector, the `message` action configuration property escapes any characters that would be interpreted as Markdown.
|
||||
- For the <<slack-action-type,Slack>> connector, the `message` action configuration property escapes any characters that would be interpreted as Slack Markdown.
|
||||
- For the <<webhook-action-type,Webhook>> connector, the `body` action configuration property escapes any characters that are invalid in JSON string values.
|
||||
|
||||
Mustache also supports "triple braces" of the form `{{{variable name}}}`, which indicates no escaping should be done at all. Care should be used when using this form, as it could end up rendering the variable content in such a way as to make the resulting parameter invalid or formatted incorrectly.
|
||||
|
||||
|
|
@ -154,18 +230,18 @@ Mustache also supports "triple braces" of the form `{{{variable name}}}`, which
|
|||
[[defining-rules-actions-variable-context]]
|
||||
===== Action variable context
|
||||
|
||||
Each rule type defines additional variables as properties of the variable `context`. For example, if a rule type defines a variable `value`, it can be used in an action parameter as `{{context.value}}`.
|
||||
When the action frequency is **For each alert**, each rule type defines additional variables as properties of the variable `context`. For example, if a rule type defines a variable `value`, it can be used in an action parameter as `{{context.value}}`.
|
||||
|
||||
For diagnostic or exploratory purposes, action variables whose values are objects, such as `context`, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes `{{context}}`, it will expand to the JSON representation of all the variables and values provided by the rule type. To see alert-specific variables, use `{{.}} `.
|
||||
For diagnostic or exploratory purposes, action variables whose values are objects, such as `context`, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes `{{context}}`, it will expand to the JSON representation of all the variables and values provided by the rule type. To see alert-specific variables, use `{{.}}`.
|
||||
|
||||
For situations where your rule response returns arrays of data, you can loop through the `context` by
|
||||
For situations where your rule response returns arrays of data, you can loop through the `context`:
|
||||
|
||||
[source]
|
||||
--------------------------------------------------
|
||||
{{#context}}{{.}}{{/context}}
|
||||
--------------------------------------------------
|
||||
|
||||
For example, looping through search result hits may appear
|
||||
For example, looping through search result hits:
|
||||
|
||||
[source]
|
||||
--------------------------------------------------
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue