kibana_discover_url Variable

[markus-nclose]

Hi all,

I'm not 100% sure how to add the kibana_discover_url variable into a alert. Currently I'm using the hivealerter and would like to add it in the "Description" field.

I read the documentation here https://elastalert2.readthedocs.io/en/latest/ruletypes.html#generate-kibana-discover-url but obviously missing something obvious.

Thanks in advance

[nsano-rururu]

According to yelp / elastalert's past pull requests, it looks like this:

Adding support for generating Kibana Discover app link #2474

name: Frequent Responses
index: kibana_sample_data_logs

timestamp_field: "timestamp"
timestamp_type: "custom"
timestamp_format: "%Y-%m-%dT%H:%M:%S.%fZ"

type: frequency
num_events: 3

timeframe:
  minutes: 10

query_key: response

generate_kibana_discover_url: true
kibana_discover_app_url: http://localhost:5601/#/discover
kibana_discover_version: '6.8'
kibana_discover_index_pattern_id: 90943e30-9a47-11e8-b64d-95841ca0b247 # specific to my instance
kibana_discover_columns: [ 'message', 'request', 'response' ]

alert: [ debug ]
alert_text: '{0}'
alert_text_args: [ kibana_discover_url ]
alert_text_type: alert_text_only

Adding ability to specify opsgenie alert details #2489
Adding ability to attach the Kibana Discover url in slack alerts #2488

[nsano-rururu]

The following is a setting example of slack.
The setting part of kibana_discover should be helpful.
johnsusek/praeco#318 (comment)

[nsano-rururu]

In the latest kibana, the value of kibana_discover_app_url is "http://localhost:5601/#/discover" instead of "http://localhost:5601/app/discover#/".
In the latest kibana, the value of "kibana_discover_app_url" is "http: // localhost: 5601 / app / discover # /" instead of "http: // localhost: 5601 / # / discover".
I understand that I need a sample for each yaml in the slack and kibana_discover docs. Certainly not in the current documentation.

# kibana_discover Setting
generate_kibana_discover_url: true
kibana_discover_app_url: "http://localhost:5601/app/discover#/"
kibana_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"

# 5.6
# 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8
# 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 7.10, 7.11, 7.12
kibana_discover_version: "7.12"

# Slack kibana_discover Setting
slack_attach_kibana_discover_url: true
slack_kibana_discover_color: "#ec4b98"
slack_kibana_discover_title: "Discover in Kibana"

[markus-nclose]

Thank you for the detailed response. I was able to generate the URL and can see it in debug, but just can't use the URL anywhere besides Opsgenie and Slack. I'm still unsure how I can add the kibana_discover_url variable within hivealerter Description field.

[markus-nclose]

Okay I got it, apparently doesn't work if you have the Description field, worked after I commented it out.
Thanks @nsano-rururu

alert_text: 'New description works only after hivealert description commented out -  {0}'
alert_text_args: [ kibana_discover_url ]
alert_text_type: alert_text_only