[[rule-action-variables]]
== Rule action variables
:frontmatter-description: A summary of common variables for use in {kib} alerting rule actions.
:frontmatter-tags-products: [alerting] 
:frontmatter-tags-content-type: [reference] 
:frontmatter-tags-user-goals: [configure]

Alerting rules can use the https://mustache.github.io/mustache.5.html[Mustache] template syntax
(`{{variable name}}`) to pass values when the actions run.

[float]
[[common-rule-action-variables]]
=== Common variables

The available variables differ by rule type, however there are some common variables:

* <<general-rule-action-variables>>
* <<alert-summary-action-variables>>
* <<alert-action-variables>>

Some cases exist where the variable values will be "escaped" when used in a context where escaping is needed. For example:

- For the <<email-action-type,email connector>>, the `message` action configuration property escapes any characters that would be interpreted as Markdown.
- For the <<slack-action-type,Slack connector>>, the `message` action configuration property escapes any characters that would be interpreted as Slack Markdown.
- For the <<webhook-action-type,Webhook connector>>, the `body` action configuration property escapes any characters that are invalid in JSON string values.

Mustache also supports "triple braces" of the form `{{{variable name}}}`, which indicates no escaping should be done at all. Use this form with caution, since it could end up rendering the variable content such that the resulting parameter is invalid or formatted incorrectly.

[float]
[[general-rule-action-variables]]
==== General

All rule types pass the following variables:

`date`:: The date the rule scheduled the action, in ISO format.
`kibanaBaseUrl`:: The configured <<server-publicBaseUrl,`server.publicBaseUrl`>>. If not configured, this will be empty.
`rule.id`:: The rule identifier.
`rule.name`:: The rule name.
`rule.params`:: The rule parameters, which vary by rule type.
`rule.spaceId`:: The space identifier for the rule.
`rule.tags`:: The list of tags applied to the rule.

[float]
[role="child_attributes"]
[[alert-summary-action-variables]]
==== Action frequency: Summary of alerts

If the rule's action frequency is a summary of alerts, it passes the following variables:

`alerts.all.count`:: The count of all alerts.

`alerts.all.data`::
An array of objects for all alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.all.data objects
[%collapsible%open]
=====
//# tag::alerts-data[]
`kibana.alert.end`:: Datetime stamp of alert end. preview:[]
`kibana.alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly. preview:[]
`kibana.alert.instance.id`:: ID of the source that generates the alert. preview:[]
`kibana.alert.reason`:: The reason of the alert (generated with the rule conditions). preview:[]
`kibana.alert.start`:: Datetime stamp of alert start. preview:[]
`kibana.alert.status`:: Alert status (for example, active or OK). preview:[]
//# end::alerts-data[]
=====

`alerts.new.count`:: The count of new alerts.

`alerts.new.data`::
An array of objects for new alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.new.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====

`alerts.ongoing.count`:: The count of ongoing alerts.

`alerts.ongoing.data`::
An array of objects for ongoing alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.ongoing.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====

`alerts.recovered.count`:: The count of recovered alerts.

`alerts.recovered.data`::
An array of objects for recovered alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.recovered.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====

[float]
[[alert-action-variables]]
==== Action frequency: For each alert

If the rule's action frequency is not a summary of alerts, it passes the following variables:

`alert.actionGroup`:: The ID of the action group of the alert that scheduled the action.
`alert.actionGroupName`:: The name of the action group of the alert that scheduled the action.
`alert.actionSubgroup`:: The action subgroup of the alert that scheduled the action.
`alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly.
`alert.id`:: The ID of the alert that scheduled the action.
`alert.uuid`:: A universally unique identifier for the alert. While the alert is active, the UUID value remains unchanged each time the rule runs. preview:[]

[float]
[[defining-rules-actions-variable-context]]
===== Context

If the rule's action frequency is not a summary of alerts, the rule defines additional variables as properties of the variable `context`. For example, if a rule type defines a variable `value`, it can be used in an action parameter as `{{context.value}}`.

For diagnostic or exploratory purposes, action variables whose values are objects, such as `context`, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes `{{context}}`, it will expand to the JSON representation of all the variables and values provided by the rule type. To see all alert-specific variables, use `{{.}}`.

For situations where your rule response returns arrays of data, you can loop through the `context`:

[source,sh]
--------------------------------------------------
{{#context}}{{.}}{{/context}}
--------------------------------------------------

For example, looping through search result hits:

[source,sh]
--------------------------------------------------
triggering data was:
{{#context.hits}} - {{_source.message}}
{{/context.hits}}
--------------------------------------------------

[discrete]
[[enhance-mustache-variables]]
=== Enhancing Mustache variables

preview::[]

You can enhance the values contained in Mustache variables when the Mustache template is rendered by rendering objects as JSON or by using Mustache lambdas.

[discrete]
==== Rendering objects as JSON

Some connectors (such as the <<webhook-action-type,Webhook connector>>) expect JSON values to be passed as parameters when the connector is invoked.
The following capabilities are available:

- Array values referenced in braces have a predefined rendering by Mustache as string versions of the array elements, joined with a comma (`,`). To render array values as JSON, access the `asJSON` property of the array, instead of the array directly. For example, given a Mustache variable `context.values` that has the value `[1, 4, 9]` the Mustache template `{{context.values}}` will render as `1,4,9`, and the Mustache template `{{context.values.asJSON}}` will render as `[1,4,9]`.

- The <<parse-hjson-lambda,ParseHjson lambda>> Mustache lambda makes it easier to create JSON in your templates by using https://hjson.github.io/[Hjson], a syntax extension to JSON, rather than strict JSON.

[discrete]
==== Using Mustache lambdas

Mustache lambdas provide additional rendering capabilities for Mustache templates.
A Mustache lambda is formatted like a Mustache section. For example:

[source,sh]
----
{{#EvalMath}} round(context.value, 1) {{/EvalMath}}
----

In that example, the lambda `EvalMath` is passed the text `round(context.value, 1)` and renders a rounded value of the `context.value` variable.
This pattern is used by all the provided Mustache lambdas described in the subsequent sections.

[discrete]
===== EvalMath

The EvalMath lambda will evaluate the text passed to it as <<canvas-tinymath-functions>>.

For example, when the Mustache variable `context.value` is `3.1234`, the following template will render as `3.1`:

[source,sh]
----
{{#EvalMath}} round(context.value, 1) {{/EvalMath}}
----

This lambda can access Mustache variables without having to wrap them in `{{}}`.
However, if the value is in a string form (for example, an Elasticsearch numeric field whose source was indexed as a string), or could be escaped, escaping the value with triple quotes should allow this to work.
For example, if the Mustache variable `context.value` is `"3.1234"`, the following template will render as `3.1`:

[source,sh]
----
{{#EvalMath}} round( {{{context.value}}} , 1) {{/EvalMath}}
----

[discrete]
[[parse-hjson-lambda]]
===== ParseHjson

The ParseHjson lambda provides ease-of-use capabilities when constructing JSON objects.
https://hjson.github.io/[Hjson] is a syntax extension to JSON. It has the following features:

- Missing and extra trailing commas are allowed in arrays and objects.
- Comments are supported.
- Property names can be specified without quotes.
- Property values can be specified without quotes (one per line and no commas).
- Multi-line strings have dedent support to remove the leading whitespace.
- Legal JSON documents are supported.

To use it, surround your Hjson content with `{{#ParseHjson}}...{{/ParseHjson}}`.
For example:
 
[source,sh]
----
{{#ParseHjson}}
{
  # add the rule id and name to the JSON document
  ruleId:   "{{rule.id}}"
  ruleName: "{{rule.name}}"
}
{{/ParseHjson}}
----

When rendered, this template will generate:
 
[source,json]
----
    {
      "ruleId": "<the rule id is here>",
      "ruleName": "<the rule name is here>"
    }
----

[discrete]
===== FormatDate

The FormatDate lambda provides date formatting capabilities.
Dates can be formatted in an arbitrary time zone and with an arbitrary format string.

To use it, surround the date and formatting parameters with `{{#FormatDate}}...{{/FormatDate}}`.

The format of the text passed to the lambda is: `<date>; <time zone>; <date format>`, where semicolons (`;`) separate each parameter.
The `<date>` parameter is required; the `<time zone>` and `<date format>` parameters are optional.
The default time zone is `"UTC"` and the default date format is `"YYYY-MM-DD hh:mma"`.
For example, the following templates all render the same value:
 
[source,sh]
----
    {{#FormatDate}} {{{timestamp}}} {{/FormatDate}}
    {{#FormatDate}} {{{timestamp}}} ; UTC {{/FormatDate}}
    {{#FormatDate}} {{{timestamp}}} ; UTC; YYYY-MM-DD hh:mma {{/FormatDate}}
    {{#FormatDate}} {{{timestamp}}} ; ; YYYY-MM-DD hh:mma {{/FormatDate}}
----

The `<time zone>` parameter must be a valid time zone identifier as listed in https://en.wikipedia.org/wiki/List_of_tz_database_time_zones[TZ database time zone names], such as `"America/New_York"`.

The `<date format>` parameter must be a valid date format string as described in the https://momentjs.com/docs/#/displaying/[Moment `format()` documentation].
For example, the date format `"YYYY-MM-DD hh:mma"` will render in the following format: `"2023-04-24 11:21pm"`.

The date value itself should usually be referenced with triple braces since some characters in date strings may contain values that are escaped, which would prevent them from being parsed as dates.

[discrete]
===== FormatNumber

The FormatNumber lambda provides number formatting capabilities using the https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl/NumberFormat[`Intl.NumberFormat` object].

Numbers can be formatted with the following `Intl.NumberFormat` options:

- `compactDisplay`
- `currencyDisplay`
- `currencySign`
- `notation`
- `signDisplay`
- `unitDisplay`
- `unit`
- `useGrouping` - but only values true and false
- `minimumIntegerDigits`
- `minimumFractionDigits`
- `maximumFractionDigits`
- `minimumSignificantDigits`
- `maximumSignificantDigits`

To use the lambda, surround the number and formatting options with `{{#FormatNumber}}...{{/FormatNumber}}`.

The format of the text passed to the lambda is: `<number>; <locales>; <options>`, where semicolons (`;`) separate each parameter.
The `<number>` parameter is required; it is the value to be formatted.
The `<locales>` and `<options>` parameters are optional, but the semicolons must be provided; the values may be empty strings.
The `<locales>` parameter is a list of locales separated by commas (`,`).
The `<options>` parameter is a list of key value pairs separated by commas (`,`).
The key value pairs are strings separated by colons (`:`) where the key is the name of the option and the value is the value of the option.
The default locale is `en-US` and no options are set by default.

For more information on locale strings, refer to https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl#locales_argument[the `locales` argument documentation from the `Intl` reference].

The options and values that can be used with them are listed under `options` in the https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl/NumberFormat/NumberFormat[Intl.NumberFormat() constructor documentation].

For example:

[source,sh]
----
    original value: {{{context.value.condition0}}}
    formatted value: {{#FormatNumber}}
        {{{context.value.condition0}}} ; de-DE ; style: currency, currency: EUR
    {{/FormatNumber}}
----

If the context variable `context.value.condition0` has a value of `628.4`, it results in the following text:

[source,sh]
----
    original value: 628.4
    formatted value: 628,40 €
----

The `{{FormatNumber}}` and `{{EvalMath}}` lambdas can be used together to perform calculations on numbers and then format them. For example:

[source,sh]
----
    original value: {{{context.value.condition0}}}
    formatted value: {{#FormatNumber}}
      {{#EvalMath}} {{context.value.condition0}} * 0.1 {{/EvalMath}}
      ; de-DE ; style: currency, currency: EUR
    {{/FormatNumber}}
----

If the context variable `context.value.condition0` has a value of `628.4`, it results in the following text:

[source,sh]
----
    original value: 628.4
    formatted value: 62,84 €
----

[discrete]
[[mustache-examples]]
=== Mustache examples

This example demonstrates a Mustache template for an email action sent from an {es} query rule.
The template references the following Mustache variables:

- `date`
- `context.title`
- `context.conditions`
- `context.link`
- `context.hits[]._source.event.provider`
- `context.hits[]._source.event.action`
- `context.hits[]._source.event.duration`

For example, if you have data like this available as Mustache variables:

[source,json]
----
{
  "date": "2023-04-27T22:40:34.153Z",
  "context": {
    "title": "rule 'esq' matched query for group host-2",
    "conditions": "Number of matching documents for group \"host-2\" is less than 1000",
    "link": "https://example.com/this-will-link-to-Discover",
    "hits": [
      {
        "_source": {
          "event": {
            "provider": "alerting",
            "action": "active-instance",
            "duration": "96023000000"
          }
        }
      },
      {
        "_source": {
          "@timestamp": "2023-04-27T22:40:22.251Z",
          "event": {
            "provider": "alerting",
            "action": "execute-action"
          }
        }
      }
    ]
  }
}
----

You can create the following Mustache template in the email action for your rule:

[source,js]
----
# {{context.title}} <1>

{{#FormatDate}} {{{date}}} ; America/New_York {{/FormatDate}} <2>

{{context.conditions}}

**documents** _[view in Discover]({{{context.link}}})_ <3>

| provider | action | duration | <4>
| -------- | ------ | -------- |
{{#context.hits}}{{#_source.event}}| {{provider}} | {{action}} | {{#duration}}{{#EvalMath}} round( {{{duration}}} / 1000 / 1000 / 1000 ) {{/EvalMath}} sec{{/duration}} {{^duration}}-n/a-{{/duration}} |{{/_source.event}}
{{/context.hits}}
----
<1> Renders the value of the `context.title` variable as a level 1 heading.
<2> Renders the value of the `date` variable as a formatted date in the America/New_York time zone.
<3> Shows examples of `**bold**`, `_italic_`, and `[text](url)` links.
<4> Shows a table with three columns, with one row per element in the `context.hits` array.
From each of those elements, you can access the `provider`, `action`, and `duration` fields of the `_source.event` object.
The `duration` field is rendered as a number of seconds, rounded to the nearest second.
It's stored as nanoseconds so it needs to be divided by a billion to yield seconds.
The duration field is optional, so you can use a `{{#duration}} ... {{/duration}}` section to render the duration if it's present and show `-n/a-` otherwise.

When rendered into Markdown and then HTML and viewed in an email client, it looks like this:

[role="screenshot"]
image:images/email-mustache-template-rendered.png[Email template rendered in an email client]