I have written the following rule
type: frequency
filter:
- query:
query_string:
query: "category:foo.bar AND msg._:*Failure*"
alert_text: "Total number of errors cross threshold..... <a href='{0}'>Kibana link</a>"
alert_text_args:
- kibana_link
alert_text_type: alert_text_only
my config.yaml is
# Kibana Dashboard
use_kibana4_dashboard: http://mykibana.com/
When an alert is raised and I click on the hyperlink which I am putting in the message. It takes me to my dashboard.
But what I want is that instead of a dashboard it takes to the data discovery screen and there it issues the very same query that it had issued when the alert was raised.
This way I want to see exactly the query results which the elastalert had seen when the alert was raised.
Actually, I was able to solve this myself. I am writing my solution here.
So basically, I did the exact same search as my criteria above in kibana and saved that search. Next I created a dashboard and pulled the saved query into the dashboard.
Next I pointed the rule to the new dashboard which contains the saved query.
When the link is generated, the elastalert will create the link in a way the time period is injected into the hyperlink. When you click on the link you will see exactly what the alert saw.