Flatline alert not showing alert_text_args in email notification

[Nenya2021]

Hi,

I'm new here and I'm not sure if I'm posting in the right place or in the right way. Redirections are welcome :)

I'm creating an alert to detect if one or more servers are not sending logs.

It works fine, but I can't get it to print the fields that I need ("event.created" or any other time field and "host.name") in the email notification. Both fields exist and I can check them through Kibana.

This is my code:

name: "MO-MET-AGNT-01: No logs from server"

type: flatline

index: metricbeat-*

threshold: 1
timeframe:
  minutes: 2

query_key: "host.name"

use_terms_query: true

filter:
- query:
    query_string:
      query: "*"

alert:
- "email"

from_addr: "[email protected]"
email:
   - "[email protected]"

alert_subject: "MO-MET-AGNT-01: No logs from server"
email_format: html
alert_text_type: alert_text_only
alert_text_args:
  - event.created       # 0
  - host.name            # 1
alert_text: "<H1>Server {1} didn't report during the last 2 minutes</H1><br><br> Details: <br><br> {0} <b>SERVER:</b> {1} <br><br><b>Priority:</b> High</br>"

What's lacking here?

Thanks in advance.

[jertel]

Hello! You are in the right place. Flatline alerts trigger on the absence of events. Without an event there is almost no dynamic data available to include in your alert message. I believe you can get counts and a timestamp, perhaps also a query key if used. But that's probably all that is available.

[Nenya2021]

Hi, @jertel, thanks for the quick reply!

I'm not sure I fully understand what you're saying: I've been stopping the event collector to test the alert, and it works fine. I do get an email when a server doesn't send any logs. The problem's that it doesn't show which of the servers is triggering the alert.
I've included "host.name" as query_key and as alert_text_args in the alert code but it doesn't appear in the alert_text.

(sorry, the original text is in Spanish. But the code is the same, I just translated the text to English to post it here)

Is there a way to show "host.name" changing something in the alert code, or do I need to use other alert type to get this information?

I'm a newby to Elasticsearch, so it would be great if you could walk me a bit through it :)

Thanks!

[jertel]

Please re-read my explanation. Specifically these two sentences:

Flatline alerts trigger on the absence of events. Without an event there is almost no dynamic data available to include in your alert message.

Flatline alerts are very different from other alerts. They alert when there is NO data. You are asking to include data in your alert. Where does it get it from? The logs are missing, which is why the alert gets triggered.

[Nenya2021]

Hi @jertel, thanks for the explanation.

Please re-read my question :):

Is there a way to show "host.name" changing something in the alert code, or do I need to use other alert type to get this information?

I need to find a way to know when a server is not sending logs -which I do-, and to see which one is not. I've looked everywhere for the way to get this type of outcome and I don't seem to be able to find it.

Thanks again.

[jertel]

In your rule replace host.name with key. Example:

alert_text_args:
  - event.created       # 0
  - key            # 1

[Nenya2021]

Thank you so much @jertel !

It works perfectly fine now