I am newbie to Opensearch / Elasticsearch. Apologies in advance in case wrong terminologies are used. We recently started to use OpenSearch as logging database.
We are trying to setup Alerting in Opensearch. There are 4 options available for alerting - Per query monitor, Per bucket monitor,
Per cluster metrics monitor & Per document monitor. As we are using Opensearch for storing application logs, therefore we more interested to go ahead with Per document monitor in order to apply more complex query based on business needs.
We have configured Per document monitor with below extraction query snippet -
{
"description": "",
"queries": [
{
"id": "log-level",
"name": "log-level",
"query": "status:\"error\"",
"tags": []
}
]
}
Its working well. Now the requirement is to pipe app_log.message in alerts message (to slack) -
"_source": {
"app_log": {
"message": "[No Bank Account id found with XX-YY-ZZ]",
"caller": "/app/internal/usecase/implementation/xyz.go:1801",
"level": "error"
},
"status": "error"
}
We already tried with couple of blogs available on internet -
- https://forum.opensearch.org/t/how-do-i-include-message-fields-in-the-alert-action-message-for-per-document-monitor/14428
- https://forum.opensearch.org/t/how-do-i-include-message-fields-in-the-alert-action-message/8167/12
Apart from that, there is one more issue want to highlight is Per document monitor does work with nested fields ("query": "app_log.level:\"error\"") -
{
"description": "",
"queries": [
{
"id": "log-level-error",
"name": "log-level-error",
"query": "app_log.level:\"error\"",
"tags": []
}
]
}
Let me know if more information is required.