Each week, a new “Do You Know” will be posted on our Elastic Technical Knowledge Hub to share useful knowledge to improve the observability using Elasticsearch. These topics originate from day-to-day challenges we solved for our clients. A stepwise description helps you to successfully implement solutions on improving the performance of your deployment and get the best monitoring of your applications using dashboards and alerting.
This week I will discuss: how to set up a dynamic URL link in your advanced watcher?
Background
Alerting is one of the most important tools in monitoring. After setting up your alerting in the Advanced Watcher, you might want the user to navigate to your Kibana dashboard using a quick link that includes the filtering on the alert output. For instance, an error occurred and you want to have a navigation to the dashboard with the details on that particular error.
Solution
Step 1
Set up your Advanced Watcher. Go to the Kibana menu: Stack Management → Watcher → Create → Create advanced watch. For this example, I made an aggregation on ErrorMessage.keyword:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"Severity.keyword": "ERROR"
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "now-1m"
}
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"ErrorMessage": {
"terms": {
"field": "ErrorMessage.keyword",
"order": {
"_count": "desc"
},
"size": 5,
"shard_size": 25
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"text": "The following error occured {{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}"
}
}
}
}
In the actions section above you will find the output from the query. The result is the ErrorMessage in the first bucket, retrieved by {{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}.
Step 2
The output of the alert, which is the ErrorMessage retrieved by: {{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}, needs to be added into the filter section in the URL of the dashboard. This allows the user to directly go to the dedicated dashboard and see the details of the error that just occurred.
https:///s//app/dashboards#/view/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-15m,to:now))&_a=(description:”,filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:’ErrorMessage: %20%22{{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}%22%20′),timeRestore:!f,title:”,viewMode:view)
Step 3
If you are sending the output of the alert to an email address, you can replace the URL link with a short hyperlink. This is done in HTML as shown below.
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"email.address"
],
"subject": "",
"body": {
"html": "The following error occured {{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}.
Please use this <a href=https://<kibana endpoint>/s/<space name>/app/dashboards#/view/<dashboardId>?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-15m,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:'ErrorMessage: %20%22{{ctx.payload.aggregations.ErrorMessage.buckets.0.key}}%22%20'),timeRestore:!f,title:'<dashboard title>',viewMode:view)><strong>link</strong></a> to get all the details of this error."
}
}
}
}Need help with your Elastic challenges? Contact our experts.
With our 25+ Elastic certified consultants, Devoteam is your partner for developing and implementing Monitoring & Observability solutions that facilitate optimal IT control, from Business & IT Operations dashboards to centralized logging and proactive alerting.
