Rule action variables | Kibana Guide [8.7]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Tracking containment Troubleshooting and limitations »

Rule action variablesedit

Alerting rules can use the Mustache template syntax ({{variable name}}) to pass values when its actions run.

The available variables differ by rule type, however there are some common variables:

Some cases exist where the variable values will be "escaped" when used in a context where escaping is needed. For example:

For the email connector, the message action configuration property escapes any characters that would be interpreted as Markdown.
For the Slack connector, the message action configuration property escapes any characters that would be interpreted as Slack Markdown.
For the Webhook connector, the body action configuration property escapes any characters that are invalid in JSON string values.

Mustache also supports "triple braces" of the form {{{variable name}}}, which indicates no escaping should be done at all. Use this form with caution, since it could end up rendering the variable content such that the resulting parameter is invalid or formatted incorrectly.

Generaledit

All rule types pass the following variables:

date: The date the rule scheduled the action, in ISO format.
kibanaBaseUrl: The configured server.publicBaseUrl. If not configured, this will be empty.
rule.id: The ID of the rule.
rule.name: The name of the rule.
rule.spaceId: The ID of the space for the rule.
rule.tags: The list of tags applied to the rule.

Action frequency: Summary of alertsedit

If the rule’s action frequency is a summary of alerts, it passes the following variables:

alerts.all.count

The count of all alerts.

alerts.all.data

An array of objects for all alerts. The following object properties are examples; it is not a comprehensive list.

Properties of the alerts.all.data objects

kibana.alert.end: Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.flapping: A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.instance.id: ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.reason: The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.start: Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.status: Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

alerts.new.count

The count of new alerts.

alerts.new.data

An array of objects for new alerts. The following object properties are examples; it is not a comprehensive list.

Properties of the alerts.new.data objects

kibana.alert.end: Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.flapping: A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.instance.id: ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.reason: The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.start: Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.status: Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

alerts.ongoing.count

The count of ongoing alerts.

alerts.ongoing.data

An array of objects for ongoing alerts. The following object properties are examples; it is not a comprehensive list.

Properties of the alerts.ongoing.data objects

kibana.alert.end: Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.flapping: A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.instance.id: ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.reason: The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.start: Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.status: Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

alerts.recovered.count

The count of recovered alerts.

alerts.recovered.data

An array of objects for recovered alerts. The following object properties are examples; it is not a comprehensive list.

Properties of the alerts.recovered.data objects

kibana.alert.end: Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.flapping: A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.instance.id: ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.reason: The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.start: Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
kibana.alert.status: Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Action frequency: For each alertedit

If the rule’s action frequency is not a summary of alerts, it passes the following variables:

alert.actionGroup: The ID of the action group of the alert that scheduled the action.
alert.actionGroupName: The name of the action group of the alert that scheduled the action.
alert.actionSubgroup: The action subgroup of the alert that scheduled the action.
alert.flapping: A flag on the alert that indicates whether the alert status is changing repeatedly.
alert.id: The ID of the alert that scheduled the action.

Contextedit

If the rule’s action frequency is not a summary of alerts, the rule defines additional variables as properties of the variable context. For example, if a rule type defines a variable value, it can be used in an action parameter as {{context.value}}.

For diagnostic or exploratory purposes, action variables whose values are objects, such as context, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes {{context}}, it will expand to the JSON representation of all the variables and values provided by the rule type. To see alert-specific variables, use {{.}}.

For situations where your rule response returns arrays of data, you can loop through the context:

{{#context}}{{.}}{{/context}}

For example, looping through search result hits:

triggering data was:
{{#context.hits}} - {{_source.message}}
{{/context.hits}}

« Tracking containment Troubleshooting and limitations »