How to display match_body in the elastalert metadata with writeback index? #1602

vutuong · 2025-01-16T04:28:05Z

vutuong
Jan 16, 2025

I want to display all documents matching a selected rule, and these documents must include information in the match_body field of the write_back_index named "test."

However, the default mapping for this index is created using the elastalert-create-index command, and the match_body field is mapped as disabled with the following configuration when show the mapping of write-back-index:

...
"match_body": {
    "type": "object",
    "enabled": false
}
...

How can I enable it? I cannot create the index template before running the elastalert-create-index command because this command will attempt to apply the mapping again, causing an error.

Answered by vutuong

Jan 20, 2025

@jertel I want to enable match_body in the Elasticsearch mapping to display and query it with Grafana. My workaround is to rebuild the container image and replace the es_mapping file from https://github.com/jertel/elastalert2/tree/master/elastalert/es_mappings with a new mapping that enables match_body.
I have one more question: What does match_time in in the meta_data? What is difference between match_time and alert_time?
I can not find it in the doc at: https://elastalert2.readthedocs.io/en/latest/elastalert_status.html

View full answer

jertel · 2025-01-16T23:22:21Z

jertel
Jan 16, 2025
Maintainer

Per Elasticsearch docs, the enabled field tells Elasticsearch not to waste time and space indexing that property but the data is still stored and accessible.

0 replies

vutuong · 2025-01-20T03:37:18Z

vutuong
Jan 20, 2025
Author

@jertel I want to enable match_body in the Elasticsearch mapping to display and query it with Grafana. My workaround is to rebuild the container image and replace the es_mapping file from https://github.com/jertel/elastalert2/tree/master/elastalert/es_mappings with a new mapping that enables match_body.
I have one more question: What does match_time in in the meta_data? What is difference between match_time and alert_time?
I can not find it in the doc at: https://elastalert2.readthedocs.io/en/latest/elastalert_status.html

1 reply

jertel Jan 20, 2025
Maintainer

Why is this the accepted answer? It's not answering anything. Rather it's asking more questions.

If you want to query the match_body field then you will need to either bind a modified es_mapping file into the container using -v or modify the index after it was creating, using the Elasticsearch REST API. There is no need to build a new container image.

alert_time = The time that ElastAlert 2 sends the alert, or the original alert time if the alert failed to send, or slightly more complicated for aggregated alerts.
match_body = The original event timestamp. It will never be the same as alert_time.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to display match_body in the elastalert metadata with writeback index? #1602

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

How to display match_body in the elastalert metadata with writeback index? #1602

vutuong Jan 16, 2025

Replies: 2 comments · 1 reply

jertel Jan 16, 2025 Maintainer

vutuong Jan 20, 2025 Author

jertel Jan 20, 2025 Maintainer

vutuong
Jan 16, 2025

Replies: 2 comments 1 reply

jertel
Jan 16, 2025
Maintainer

vutuong
Jan 20, 2025
Author

jertel Jan 20, 2025
Maintainer