How to adjust Kibana Dashboard link in ElastAlert

Question

I have written the following rule

type: frequency

filter:
- query:
    query_string:
      query: "category:foo.bar AND msg._:*Failure*"

alert_text: "Total number of errors cross threshold..... <a href='{0}'>Kibana link</a>"
alert_text_args:
  - kibana_link
alert_text_type: alert_text_only

my config.yaml is

# Kibana Dashboard
use_kibana4_dashboard: http://mykibana.com/

When an alert is raised and I click on the hyperlink which I am putting in the message. It takes me to my dashboard.

But what I want is that instead of a dashboard it takes to the data discovery screen and there it issues the very same query that it had issued when the alert was raised.

This way I want to see exactly the query results which the elastalert had seen when the alert was raised.

score 1 · Accepted Answer · answered Jan 05 '17 at 20:19

Actually, I was able to solve this myself. I am writing my solution here.

So basically, I did the exact same search as my criteria above in kibana and saved that search. Next I created a dashboard and pulled the saved query into the dashboard.

Next I pointed the rule to the new dashboard which contains the saved query.

When the link is generated, the elastalert will create the link in a way the time period is injected into the hyperlink. When you click on the link you will see exactly what the alert saw.

Do you have sample? I want to pass query_key in kibana link – Al Francis Nov 13 '20 at 02:48 — Al Francis, Nov 13 '20 at 02:48

How to adjust Kibana Dashboard link in ElastAlert

1 Answers1