Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to access attach_related field?

See original GitHub issue

Near the end of the documentation for the Frequency alert type, there is an option called attach_related which states:

attach_related: Will attach all the related events to the event that triggered the frequency alert. For example in an alert triggered with num_events: 3, the 3rd event will trigger the alert on itself and add the other 2 events in a key named related_events that can be accessed in the alerter.

How do we access the “related_events” key in our alerter (right now we are focusing on slack alerts). Specifically, if I would like to display a list of all values of a specific field from all events that triggered the alert, is there a way to do that??

Issue Analytics

State:
Created 7 years ago
Comments:12 (2 by maintainers)

Top GitHub Comments

3reactions

jocoolercommented, Oct 24, 2018

Thanks so much for the quick reply Qmando. This format ended up working for me was:

{argument#[index][property]}

Like this:

alert_text: "<h3>Notification for {2}</h3><h4>{1}</h4><p>Triggering events ({5} total): <ul><li>{3}: {4}</li><li>{6[1][beat][hostname]}: {6[1][metricset][module]}</li><li>{6[2][beat][hostname]}: {6[2][metricset][module]}</li></ul></p><p>For complete information, consult the <a href='{0}'>Dashboard</a>.</p>"
alert_text_args:
  - kibana_link
  - description
  - name
  - beat.hostname 
  - metricset.module
  - num_matches
  - related_events

If I may suggest, since there are a few threads like this floating around, the documentation for how to access that string be added to the attach_related docs.

0reactions

rashmichoudhary07commented, Apr 30, 2020

@jocooler Also, i just noticed on a few checks that my related event is only holding one document data irrespective of query hits being >3. Why would that happen? PFB my rule file for reference.

type: frequency num_events: 2 timeframe: minutes: 30 index: elk_test2 filter:

term: log_json.response.statusCode: “404” attach_related: true alert:
- command

command: “echo %(@timestamp)s %(log_json.transaction.conversationId)s {related_events[0][log_json][transaction][conversationId]} {related_events[1][log_json][transaction][conversationId]} {related_events[2][log_json][transaction][conversationId]}>> path_to_file/command_alert.log”

Can’t figure out why!