How to attach the query results to email alert with elastalert2?

[rameshar16]

Hi,

Please let me know how to attach the query results to email alert with elastalert2.

Thanks and Regards,
Ramesh

[jertel]

https://elastalert2.readthedocs.io/en/latest/ruletypes.html#alert-content

[nsano-rururu]

@rameshar16

Does that mean you don't understand after looking at the following?

email setting document
https://elastalert2.readthedocs.io/en/latest/ruletypes.html#email

example
https://github.com/jertel/elastalert2/tree/master/examples/rules

[nsano-rururu]

@rameshar16

example

"xxxx" in the email address part is not the value actually set.
Please set the correct value when actually setting.

name: a
type: frequency
alert:
  - email
alert_subject: a
alert_subject_args: []
alert_text: b
alert_text_args: []
email:
  - xxxx@gmail.com
filter:
  - query:
      query_string:
        query: 'message:Quit'
from_addr: xxxx@yahoo.co.jp
smtp_host: 'smtp.mail.yahoo.co.jp'
smtp_port: 465 
smtp_ssl: true
smtp_auth_file: '/opt/elastalert/pass/smtp_auth_user.yaml'
index: mariadblog-*
is_enabled: true
num_events: 1
realert:
  minutes: 1
terms_size: 50
timeframe:
  minutes: 1
timestamp_field: '@timestamp'
timestamp_type: iso
use_strftime_index: false

"xxxx" in the email address and password part is not the value actually set
Please set the correct value when actually setting.

/opt/elastalert/pass/smtp_auth_user.yaml

user: 'xxxx@yahoo.co.jp'
password: 'xxxx' 

[nsano-rururu]

@rameshar16

There is a bug that does not work properly when the address of microsoft 365 is specified for from_addr. Please be careful.
This is a bug from Yelp/elastalert.

[nsano-rururu]

@rameshar16

If you want to specify the gmail address in from_addr, you need to change the following settings.

Google account in advance → Apps that can access the account → Allow less secure apps: Disabled → Enabled
When I specified the Gmail address with from_addr and checked the operation, the problem

The difference in the settings related to gmail in the previous sample is as follows.

When using 587 for smtp_port

from_addr: xxxx@gmail.com
smtp_host: 'smtp.gmail.com'
smtp_port: 587
smtp_auth_file: '/opt/elastalert/pass/smtp_auth_user.yaml'

When using 465 for smtp_port

from_addr: xxxx@gmail.com
smtp_host: 'smtp.gmail.com'
smtp_port: 465
smtp_ssl: true
smtp_auth_file: '/opt/elastalert/pass/smtp_auth_user.yaml'

"xxxx" in the email address and password part is not the value actually set
Please set the correct value when actually setting.

/opt/elastalert/pass/smtp_auth_user.yaml

user: 'xxxx@gmail.com'
password: 'xxxx' 

[nsano-rururu]

@rameshar16

supplement

If the port is 465, describe smtp_ssl: true. If the port is 587, smtp_ssl: true should not be mentioned.

[rameshar16]

Hi All,

Thank you for all your help on this.

I am receiving the email alerts but, I am getting the below data only instead of the entire query results.

@timestamp: 2021-07-31T18:20:45.220612Z
num_hits: 2748170
num_matches: 2

Thanks and Regards,
Ramesh

[nsano-rururu]

@rameshar16

You mean you haven't read @jertel answer, right?
https://elastalert2.readthedocs.io/en/latest/ruletypes.html#alert-content

As stated below, the default behavior is as follows.

By default:

body                = rule_name

                      [alert_text]

                      ruletype_text

                      {top_counts}

                      {field_values}

If you want only what you want to output, you need to do something like the following example.

alert_text: "Something happened with {0} at {1}"
alert_text_type: alert_text_only
alert_text_args: ["username", "@timestamp"]