The custom and metric threshold rules have an issue with adding additional context when the data is ingested as host.hostname: 'host1' instead of host: { hostname: 'host1' }. The log threshold rule does not have such an issue, and we need to verify this issue for other rules that have additional context.
Summary
The custom and metric threshold rules have an issue with adding additional context when the data is ingested as
host.hostname: 'host1'
instead ofhost: { hostname: 'host1' }
. The log threshold rule does not have such an issue, and we need to verify this issue for other rules that have additional context.Here is the log for these 2 cases: (code)
How to reproduce?
Follow these steps (slack for more info)
Create an index:
Ingest some data with the following format:
Create a rule that triggers an alert based on this data and group by
host.hostname
Check the alert document, you should not be able to see
host.name
in the AAD document.Acceptance criteria
Thanks @bsturg for reporting this!