elasticmachine
commented
1 month ago Pinging @elastic/response-ops (Team:ResponseOps)
Open parkertimmins opened 1 month ago
elasticmachine
commented
1 month ago Pinging @elastic/response-ops (Team:ResponseOps)
pmuellr
commented
2 weeks ago I don't this kind of processing is going to be possible. First, there is currently no "general" message field in connectors. Second, an empty string may be valid or invalid across different connectors.
From other discussions, it was mentioned that we could add some kind of filtering on data in the summary alerts, like we do for non-summary alerts with if alert matches a query. I'm expecting an issue to get opened on that ...
parkertimmins
commented
2 weeks ago That makes sense that this won't work for the describe reasons ... also, it's kind of a hacky solution. But yes, https://github.com/elastic/kibana/issues/198161 will solve this problem in a better way. I'll go ahead and close this ticket.
When using summary alerts, it is useful to not emit actions if there are only ongoing alerts. Ongoing alerts can be filtered out using the
If alert matches a queryfeature, but doing so will lead to a second problem: If we wish to alertAll recoveredwhen there are no remaining new or ongoing alerts, we cannot filter out the ongoing alerts using a query as this can give the incorrect impression that there are no ongoing alerts.A solution is to instead use conditional logic in the message's template to return an empty message if there are no new alerts. If actions with empty messages are not sent to the connector, this provides a way to not alert if there are only ongoing alerts.
For example, the following message template is a use case. It would return an empty string if there are only ongoing alerts. If there are new alerts, it will print the new alerts. If there are no new or ongoing alerts, it will print
All recovered: