I have created a Rule (Elasticsearch query) into Stack Management > Rules
Select an index and time field
INDEX operations*
Define your query using Query DSL
{
"query": {
"regexp": {
"o": "user-input"
}
}
}
Set the threshold and time window
IS ABOVE 64
FOR THE LAST 15 minutes
Set the number of documents to send
SIZE 0
Test Query deliver...
Query matched 30 documents in the last 15m.
My connector is a custom web service to send messages to telegram.
Those are my templates.
Template: When Query mached
name: {{rule.name}}
status: CRITICAL
date: {{context.date}}
link: {{context.link}}
hits: {{context.hits}}
Template: When recovered
name: {{rule.name}}
status: OK
date: {{context.date}}
link: {{context.link}}
hits: {{context.hits}}
The result as I can see it on Telegram
name: user-input
status: OK
date: 2023-02-21T08:52:02.958Z
link: https://my-elasticsearch:9243/app/management/insightsAndAlerting/triggersActions/rule/**************
hits:
Ejecuting the query by hand, without date range, I get that
{
"took": 96,
"timed_out": false,
"_shards": {
"total": 215,
"successful": 215,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": null,
"hits": []
}
}
Since I have size 0, I haven't real hits but I have the total amount of hits.
I have been reading this without success.
What is the proper way to get the total amount of hits and show it into my templates?
The solution is {{context.value}}
name: {{rule.name}}
status: OK
date: {{context.date}}
link: {{context.link}}
hits: {{context.value}}