github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/docs/user/alerting/action-variables.asciidoc

126 lines
5.4 KiB
Text
Raw Blame History

[[rule-action-variables]]
== Rule action variables
Alerting rules can use the https://mustache.github.io/[Mustache] template syntax
(`{{variable name}}`) to pass values when its actions run.
The available variables differ by rule type, however there are some common variables:
* <<general-rule-action-variables>>
* <<alert-summary-action-variables>>
* <<alert-action-variables>>
Some cases exist where the variable values will be "escaped" when used in a context where escaping is needed. For example:
- For the <<email-action-type,email connector>>, the `message` action configuration property escapes any characters that would be interpreted as Markdown.
- For the <<slack-action-type,Slack connector>>, the `message` action configuration property escapes any characters that would be interpreted as Slack Markdown.
- For the <<webhook-action-type,Webhook connector>>, the `body` action configuration property escapes any characters that are invalid in JSON string values.
Mustache also supports "triple braces" of the form `{{{variable name}}}`, which indicates no escaping should be done at all. Use this form with caution, since it could end up rendering the variable content such that the resulting parameter is invalid or formatted incorrectly.
[float]
[[general-rule-action-variables]]
=== General
All rule types pass the following variables:
`date`:: The date the rule scheduled the action, in ISO format.
`kibanaBaseUrl`:: The configured <<server-publicBaseUrl,`server.publicBaseUrl`>>. If not configured, this will be empty.
`rule.id`:: The ID of the rule.
`rule.name`:: The name of the rule.
`rule.spaceId`:: The ID of the space for the rule.
`rule.tags`:: The list of tags applied to the rule.
[float]
[role="child_attributes"]
[[alert-summary-action-variables]]
=== Action frequency: Summary of alerts
If the rule's action frequency is a summary of alerts, it passes the following variables:
`alerts.all.count`:: The count of all alerts.
`alerts.all.data`::
An array of objects for all alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.all.data objects
[%collapsible%open]
=====
//# tag::alerts-data[]
`kibana.alert.end`:: Datetime stamp of alert end. preview:[]
`kibana.alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly. preview:[]
`kibana.alert.instance.id`:: ID of the source that generates the alert. preview:[]
`kibana.alert.reason`:: The reason of the alert (generated with the rule conditions). preview:[]
`kibana.alert.start`:: Datetime stamp of alert start. preview:[]
`kibana.alert.status`:: Alert status (for example, active or OK). preview:[]
//# end::alerts-data[]
=====
`alerts.new.count`:: The count of new alerts.
`alerts.new.data`::
An array of objects for new alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.new.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====
`alerts.ongoing.count`:: The count of ongoing alerts.
`alerts.ongoing.data`::
An array of objects for ongoing alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.ongoing.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====
`alerts.recovered.count`:: The count of recovered alerts.
`alerts.recovered.data`::
An array of objects for recovered alerts. The following object properties are examples; it is not a comprehensive list.
+
.Properties of the alerts.recovered.data objects
[%collapsible]
=====
include::action-variables.asciidoc[tag=alerts-data]
=====
[float]
[[alert-action-variables]]
=== Action frequency: For each alert
If the rule's action frequency is not a summary of alerts, it passes the following variables:
`alert.actionGroup`:: The ID of the action group of the alert that scheduled the action.
`alert.actionGroupName`:: The name of the action group of the alert that scheduled the action.
`alert.actionSubgroup`:: The action subgroup of the alert that scheduled the action.
`alert.flapping`:: A flag on the alert that indicates whether the alert status is changing repeatedly.
`alert.id`:: The ID of the alert that scheduled the action.
[float]
[[defining-rules-actions-variable-context]]
==== Context
If the rule's action frequency is not a summary of alerts, the rule defines additional variables as properties of the variable `context`. For example, if a rule type defines a variable `value`, it can be used in an action parameter as `{{context.value}}`.
For diagnostic or exploratory purposes, action variables whose values are objects, such as `context`, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes `{{context}}`, it will expand to the JSON representation of all the variables and values provided by the rule type. To see alert-specific variables, use `{{.}}`.
For situations where your rule response returns arrays of data, you can loop through the `context`:
[source]
--------------------------------------------------
{{#context}}{{.}}{{/context}}
--------------------------------------------------
For example, looping through search result hits:
[source]
--------------------------------------------------
triggering data was:
{{#context.hits}} - {{_source.message}}
{{/context.hits}}
--------------------------------------------------
Reference in a new issue View git blame Copy permalink