- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.7
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Add comment
- Create case
- Delete cases
- Delete comments
- Find case activity
- Find cases
- Find connectors
- Get alerts
- Get case activity
- Get case
- Get case status
- Get cases by alert
- Get comments
- Get configuration
- Get reporters
- Get tags
- Push case
- Set configuration
- Update cases
- Update comment
- Update configuration
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Rule action variables
editRule action variables
editAlerting rules can use the Mustache template syntax
({{variable name}}
) to pass values when its actions run.
The available variables differ by rule type, however there are some common variables:
Some cases exist where the variable values will be "escaped" when used in a context where escaping is needed. For example:
-
For the email connector, the
message
action configuration property escapes any characters that would be interpreted as Markdown. -
For the Slack connector, the
message
action configuration property escapes any characters that would be interpreted as Slack Markdown. -
For the Webhook connector, the
body
action configuration property escapes any characters that are invalid in JSON string values.
Mustache also supports "triple braces" of the form {{{variable name}}}
, which indicates no escaping should be done at all. Use this form with caution, since it could end up rendering the variable content such that the resulting parameter is invalid or formatted incorrectly.
General
editAll rule types pass the following variables:
-
date
- The date the rule scheduled the action, in ISO format.
-
kibanaBaseUrl
-
The configured
server.publicBaseUrl
. If not configured, this will be empty. -
rule.id
- The ID of the rule.
-
rule.name
- The name of the rule.
-
rule.spaceId
- The ID of the space for the rule.
-
rule.tags
- The list of tags applied to the rule.
Action frequency: Summary of alerts
editIf the rule’s action frequency is a summary of alerts, it passes the following variables:
-
alerts.all.count
- The count of all alerts.
-
alerts.all.data
-
An array of objects for all alerts. The following object properties are examples; it is not a comprehensive list.
Properties of the alerts.all.data objects
-
kibana.alert.end
- Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.flapping
- A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.instance.id
- ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.reason
- The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.start
- Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.status
- Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
alerts.new.count
- The count of new alerts.
-
alerts.new.data
-
An array of objects for new alerts. The following object properties are examples; it is not a comprehensive list.
Properties of the alerts.new.data objects
-
kibana.alert.end
- Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.flapping
- A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.instance.id
- ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.reason
- The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.start
- Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.status
- Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
alerts.ongoing.count
- The count of ongoing alerts.
-
alerts.ongoing.data
-
An array of objects for ongoing alerts. The following object properties are examples; it is not a comprehensive list.
Properties of the alerts.ongoing.data objects
-
kibana.alert.end
- Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.flapping
- A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.instance.id
- ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.reason
- The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.start
- Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.status
- Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
alerts.recovered.count
- The count of recovered alerts.
-
alerts.recovered.data
-
An array of objects for recovered alerts. The following object properties are examples; it is not a comprehensive list.
Properties of the alerts.recovered.data objects
-
kibana.alert.end
- Datetime stamp of alert end. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.flapping
- A flag on the alert that indicates whether the alert status is changing repeatedly. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.instance.id
- ID of the source that generates the alert. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.reason
- The reason of the alert (generated with the rule conditions). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.start
- Datetime stamp of alert start. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
kibana.alert.status
- Alert status (for example, active or OK). [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
Action frequency: For each alert
editIf the rule’s action frequency is not a summary of alerts, it passes the following variables:
-
alert.actionGroup
- The ID of the action group of the alert that scheduled the action.
-
alert.actionGroupName
- The name of the action group of the alert that scheduled the action.
-
alert.actionSubgroup
- The action subgroup of the alert that scheduled the action.
-
alert.flapping
- A flag on the alert that indicates whether the alert status is changing repeatedly.
-
alert.id
- The ID of the alert that scheduled the action.
Context
editIf the rule’s action frequency is not a summary of alerts, the rule defines additional variables as properties of the variable context
. For example, if a rule type defines a variable value
, it can be used in an action parameter as {{context.value}}
.
For diagnostic or exploratory purposes, action variables whose values are objects, such as context
, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes {{context}}
, it will expand to the JSON representation of all the variables and values provided by the rule type. To see alert-specific variables, use {{.}}
.
For situations where your rule response returns arrays of data, you can loop through the context
:
{{#context}}{{.}}{{/context}}
For example, looping through search result hits:
triggering data was: {{#context.hits}} - {{_source.message}} {{/context.hits}}