Issue with match_body fields

[masterplanx]

Hi team, having an issue with a specific field, I enabled the match_body from the es_mapping json, creating a custom docker. I just set "enabled" but now I have this issue. I have a simple alert that checks the HTTP status. Is monitoring with range filter, here is the alert

    name: HTTP HEALTHCHECK STATUS
    index: heartbeat-*
    type: any
    query_key: bucketID
    timeframe:
      minutes: 5
    filter:
    - range:
        http.response.status_code:
          from: 400
          to: 599
    alert:
    - "slack"
    slack:
    slack_webhook_url: "https://hooks.slack.com/services/XXXXXX/XXXXXXX/xxxxxssssxxxx"
    realert:
      minutes: 5

In the slack channel, I received the alerts for example with this message

error: {
   "message": "received status code 404 expecting [200]",
   "type": "validate"
}

That is ok, but I was using this field to generate visualizations match_body.error.message and I got the message.
But now, if want to check that on Kibana Discover, the field doesn't exist. I just have these fields:

If I check the document I only can see a few fields there, there is no information, one thing I noted is the index. is different is using elastalert_status.

I tried to enable the match_body in the elastalert_status.json file and tried to recreate the index, but It didn't work
Do you have any idea about how can I solve this? I tried a lot of things but I am out of ideas.

Thanks and regards

[nsano-rururu]

First of all, did you mention in the documentation that you can change the settings and move them? .. If you change it without it, you are at your own risk. You have to solve it yourself.

[nsano-rururu]

Is reindexing an operation that deletes the index of elastalert_ * once and executes elastalert again to recreate it? Other than that, if you just change the setting file and re-execute, it will not be recreated. It will be skipped.

[nsano-rururu]

I haven't seen the implementation, but I'm not sure if I change the settings and it works as expected. The implementation may also need to be modified.
https://elastalert2.readthedocs.io/en/latest/ruletypes.html#alert-content

[masterplanx]

@nsano-rururu Sorry, I was sick-off so I couldn't answer, I had to modify the index "elastalert.json" to enable the match_body because it is false by default and I needed to create a dashboard in Kibana to show the historical alerts, the issue was that from kibana for example, match_body.* fields appeared as Unknown Field, so you can't create any visualization.
for example, for the alert "HTTP HEALTHCHECK STATUS" we were using this field.

    filter:
    - query:
        query_string:
          query: "NOT http.response.status_code: 200"
          analyze_wildcard: true

This was creating a field object called match_body.error.message
And we used this to shown in Kibana dashboard. (this was created in the elastalert index in the mapping as error:{message: "blabla"})
But then we changed this for range, to get just the alert from status 400 to 599

    - range:
        http.response.status_code:
          from: 400
          to: 599

So, we lost the field, and for the print screen I sent, looks like this range is storing the field in another index "elastalert_status".
So, my question is, Do we have to enable the match_body there? (in elastalert_status.json) or there is another proper way to see and handle this kind of index?

Regards!

[jertel]

A screenshot showing the document (and all of its fields) in Kibana->Discover, where the source document ID matches the same event that triggered the alert in ElastAlert2, would be helpful for this discussion. And then include the screenshot of the ElastAlert2 event record in Kibana -> Discover, under the elastalert index, for the same source document.

[masterplanx]

Hi @jertel I mean, this document

As you can see the in the next screenshot, the index is elastalert

This field appears when I used this filter:

    filter:
    - query:
        query_string:
          query: "NOT http.response.status_code: 200"
          analyze_wildcard: true

If I use range value :
- range:
http.response.status_code:
from: 400
to: 599

I lost the match_body.error.message, and match_body.error.type fields

Does that make sense?

[jertel]

Unfortunately those screenshots do not show enough information. What I'm trying to determine is whether the source document ID matches the alert event match_body._id. Can you show this? I want to make sure the alert didn't trigger from an alternate document that doesn't have the error.message field.

[masterplanx]

@jertel thanks for the support, we decided not to use the elastalert index to have this information to make visualizations, so we revert to the original and official image and get focus only on the alerts.

Regards!