Currently, I am using elasticsearch to store the data, Kibana for the visualization and elastalert for raising the alerts.
here is the working rule for the email alert using the blacklist rule.
name: email blacklist rule
type: blacklist
index: subjects
compare_key: subject
blacklist:
- "Hindi"
alert:
- "email"
email:
- "example@gmail.com"
This rule is working fine when I hardcoded the email address in the rule.
Here is the one of the docs of the elasticsearch index:
{
"subject" : "Hindi",
"@timestamp" : "2020-08-19T12:23:00.000Z",
"mail_to" : "sample@gmail.com"
}
Now is there any way to pick the email from the doc and send email to it?
I mean instead of example@gmail.com the mail should be sent to sample@gmail.com.
For sending alerts to the mail which is present in one of the fields of the doc which is going through the elastalert rules we can use inbuilt feature call
email_from_field: "fields_that_consists_emailid"
here is one of the doc in the index:
{
"subject" : "Hindi",
"@timestamp" : "2020-08-19T12:23:00.000Z",
"mail_to" : "sample@gmail.com"
}
here is the working rule for it:
name: field value rule
type: blacklist
index: subjects
compare_key: subject
blacklist:
- "Hindi"
alert:
- "email"
email:
- "example@gmail.com"
email_from_field: "mail_to"
In the above mentioned rule the email is the required parameter which will be used in case there is no valid mail-id in the email_from_field parameter.
So, in the above mentioned rule the alert will be sent to the sample@gmail.com