Customize the information in an alert received by elastalert plugin for elasticsearch

Question

I have configured elastalert instance with my elasticsearch host. I have also created an example rule which will be checking for loglevel and alert when that pattern is matched in the logs.

Everything is working fine, I am getting the alerts on my slack channel correctly.

The only concern is the information/data in the alert which I am receiving. The elastalert plugin is sending all the attributes associated with the pattern I am looking for; but I am not interested in all the information. All I care about is about some particular attributes.

Here is an example of my rule:

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
 es_host: 

# (Optional)
# Elasticsearch port
 es_port: 

# (OptionaL) Connect with SSL to elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
 name: DB2 test Rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
 type: frequency

# (Required)
# Index to search, wildcard supported
 index: logstash-* # logstash-2016.04.05 #logstash-YYYY.MM.DD # logstash-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
 num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
 timeframe:
  hours: 12

# (Required)
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
 filter:
 - query:
    query_string:
      query: "type: db2 AND logLevel: Warning"

# (Required)
# The alert is use when a match is found
 alert:
 - "slack"
 slack:
 slack_webhook_url: "XYZ"

And the alert I am getting on my slack channel looks like this:

DB2 test Rule
DB2 test Rule

At least 1 events occurred between 2016-04-29 07:51 UTC and 2016-04-29 19:51 UTC

@timestamp: 2016-04-29T19:51:45.940Z
@version: 1
_id: 
_index: logstash-2016.04.29
_type: db2
apphdl: 
appid: 
authid: 
day: 29
db: NEO
eduid: 
eduname: 
function: 
host: 
hostname: 
hour: 14
id: 
instance: 
logLevel: Warning
logMessage: 
LOADID: 
DATA #2 : 
Completed 
message:       LEVEL: Warning

and ETC ETC...

I would like to customize this alert message, so that it alerts me with only those attributes which I care about. (for ex timeline, loglevel and couple of more.)

Is there a way to do that? A little help or direction to pursue is very much appreciated.

Answer 1

According to the ElastAlert documentation, you can limit the alert to only containing certain fields from the document by using include.

In your case it would be:

include: ["@timestamp", "logLevel", "message"]