Using extracted fields in Opsgenie alert with Cardinality rule

[rschirin]

Hey there,
I was trying to use in a Cardinality rule the Opsgenie alert. While for Frequency rule I didn't face any problem, in this case I cannot use the fields (i.e. {observer[geo][region]}) into the opsgenie_message or description field.

The alert is triggered but is stopped by an error like below:

{
        "_index" : "elastalert_status_error",
        "_type" : "_doc",
        "_id" : "hQN6AH0BFe0Dp916uGm8",
        "_score" : 1.0,
        "_source" : {
          "message" : "Uncaught exception running rule Heartbeat instances check status: 'observer'",
          "traceback" : [
            "Traceback (most recent call last):",
            """  File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1538, in alert""",
            "    return self.send_alert(matches, rule, alert_time=alert_time, retried=retried)",
            """  File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1633, in send_alert""",
            "    alert.alert(matches)",
            """  File "/usr/local/lib/python3.10/site-packages/elastalert/alerters/opsgenie.py", line 70, in alert""",
            "    self.message = self.custom_message.format(**matches[0])",
            "KeyError: 'observer'"
          ],
          "data" : {
            "rule" : "Heartbeat instances check status"
          },
          "@timestamp" : "2021-11-08T16:56:22.458256Z"
        }
      }

I set the opsgenie_message: "ElastAlert: Heartbeat instance down {observer[geo][city_name]}"

[jertel]

I don't use cardinality rules myself, so I could be wrong, but I don't think you can do what you're attempting.

Cardinality is matching on the uniqueness of a field's values. Suppose you created an alert for when field "host" has less than two unique values over the past 5 minutes. Then in the 5 minute window, no events were logged. That should trigger the alert, correct? But then since there are no events, how is ElastAlert going to give your alerter an arbitrary field value, such as your observer[geo][region] field? It can't because there was no event in the first place.

[rschirin]

Your thought is right so I use cardinality to know if, for instance, an heartbeat instance is not collecting data anymore.
So, if I set less than 2 docs within the last 5 minutes, it will compare the time frame before. I mean, generated alert without any custom opsgenie_description will have configured query_key into it. It is really strange, I know, but it works. So... I would like to use that query_key to know which instance of Heartbeat is not working anymore.
Probably I could use another method.... I don't know... :(