Per Document monitors Extraction query does not return any results.

[ashwini-jais93]

What is the bug? When creating per document alerting monitors, the extraction query editor does not return any results like so: We have custom queries that work with time ranges that cannot be replicated in the visual editor. Need help with this issue.

How can one reproduce the bug? Steps to reproduce the behavior:

1. Go to Alerting, create monitor.
2. Select per document monitor.
3. Select extraction query editor.
4. Write any query and run the monitor.
5. No records are returned. The screen does not change at all.

What is the expected behavior? Expectation is that the query will return all documents that match and will be displayed in the Extraction Query Response.

What is your host/environment?

• OS: Ubuntu 18.04.6 LTS
• Opensearch Version: 2.3.0
• Plugins: Alerting

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

Do you have any additional context? Add any other context about the problem.

[divyankm]

+1

OS: Windows 10 Opensearch Version: 2.0.0 Plugins: Alerting

[divyankm]

Update from my side:

Extraction query in per documents monitor seems to be working, I guess I did some mistake in query. But seems to be discrepancy in extraction query output.

Snap:

[lezzago]

@ashwini-jais93, we support only query string query as queries for document level monitors.

I have updated the issue to ensure we update the documentation to make this clearer.

[gnom7]

@lezzago In my case even query string query cannot be run - nothing happens upon click on Run button. Also, I wonder if I can get document data in alert message similar to ctx.results.0.hits.hits in case of Per query monitor - Per Document monitor does seem to include only reference to finding and document (its ids). Is there any comprehensive documentation on ctx structure? I'm struggling to find any except for basic described here, which doesn't even mentions ctx.alerts, ctx.alerts also aren't described anywhere in the documentation unless I'm missing something.

Also are there any plans on providing alternative to mustache? I use log4j2 ootb EcsLayout.json schema for logs and it includes json keys with dots (e.g. {"log.logger": "%some_value%"}), so I cannot reference such fields in mustache unless I update/customize schema.