Monitor Variables
Use the monitor variables to add context and details to action messages for troubleshooting
When you create an action for a monitor, the message should be clear about the problem, condition, and affected resources. The message of an action supports standard Mustache scripting to form the content. The following tables list a variety of monitoring variables that you can include to enrich the message with information from the indexed data, monitor, and triggering condition to help the alert consumer quickly understand the problem.
How to access
ctx.resultsfieldsIf you want to use the
ctx.resultsvariable (or any array field) in a message, use{{ctx.results.0}}rather than{{ctx.results[0]}}. This difference relates to the way in which Mustache handles bracket notation.Similarly, to reference a field inside the
hitsarray, use a notation such as{{ctx.results.0.hits.hits.0.field_name}}to use the field's value for messages.
Monitor Variables
| Variable | Data Type | Description |
|---|---|---|
ctx.monitor | Object | Includes ctx.monitor.name, ctx.monitor.type, ctx.monitor.enabled, ctx.monitor.enabled_time, ctx.monitor.schedule, ctx.monitor.inputs, triggers and ctx.monitor.last_update_time |
ctx.monitor.user | Object | Includes information about the user who created the monitor. Includes ctx.monitor.user.backend_roles and ctx.monitor.user.roles, which are arrays that contain the backend roles and roles assigned to the user. |
ctx.monitor.enabled | Boolean | Whether the monitor is enabled |
ctx.monitor.enabled_time | Milliseconds | Unix epoch time of when the monitor was last enabled |
ctx.monitor.schedule | Object | Contains a schedule of how often or when the monitor should run |
ctx.monitor.schedule.period.interval | Integer | The interval at which the monitor runs |
ctx.monitor.schedule.period.unit | String | The interval’s unit of time |
ctx.monitor.inputs | Array | An array that contains the indexes and definition used to create the monitor |
ctx.monitor.inputs.search.indices | Array | An array that contains the indexes the monitor observes |
ctx.monitor.inputs.search.query | N/A | The definition used to define the monitor |
Trigger Variables
| Variable | Data Type | Description |
|---|---|---|
ctx.trigger.id | String | The trigger’s ID |
ctx.trigger.name | String | The trigger’s name |
ctx.trigger.severity | String | The trigger’s severity |
ctx.trigger.condition | Object | The trigger condition and Painless script label for the monitor |
ctx.trigger.condition.script.source | String | The script that defines the trigger |
ctx.trigger.condition.script.lang | String | The language used to define the script. Must be painless |
ctx.trigger.actions | Array | An array with one element that contains information about the action for the trigger and monitor |
Action Variables
| Variable | Data Type | Description |
|---|---|---|
ctx.trigger.actions.id | String | The action’s ID |
ctx.trigger.actions.name | String | The action’s name |
ctx.trigger.actions.message_template.source | String | The message to send in the alert |
ctx.trigger.actions.message_template.lang | String | The scripting language used to define the message (mustache) |
ctx.trigger.actions.throttle_enabled | Boolean | Whether throttling is enabled for this trigger |
ctx.trigger.actions.subject_template.source | String | The message’s subject in the alert |
ctx.trigger.actions.subject_template.lang | String | The scripting language used to define the subject (mustache) |
Other Variables
| Variable | Data Type | Description |
|---|---|---|
ctx.results | Array | An array with one element (i.e. ctx.results[0]). Contains the query results. This variable is empty if the trigger was unable to retrieve results. See ctx.error. |
ctx.last_update_time | Milliseconds | Unix epoch time of when the monitor was last updated |
ctx.periodStart | String | Unix timestamp for the beginning of the period during which the alert triggered. For example, if a monitor runs every ten minutes, a period might begin at 10:40 and end at 10:50. |
ctx.periodEnd | String | The end of the period during which the alert triggered |
ctx.error | String | The error message if the trigger was unable to retrieve results or unable to evaluate the trigger, typically due to a compile error or null pointer exception. Null otherwise. |
ctx.alert | Object | The current, active alert (if it exists). Includes ctx.alert.id, ctx.alert.version, and ctx.alert.isAcknowledged. Null if no alert is active. Only available with query-level monitors. |
ctx.dedupedAlerts | Object | Alerts that have already been triggered. OpenSearch keeps the existing alert to prevent the plugin from creating endless amounts of the same alerts. Only available with bucket-level monitors. |
ctx.newAlerts | Object | Newly created alerts. Only available with bucket-level monitors. |
ctx.completedAlerts | Object | Alerts that are no longer ongoing. Only available with bucket-level monitors. |
bucket_keys | String | Comma-separated list of the monitor’s bucket key values. Available only for ctx.dedupedAlerts, ctx.newAlerts, and ctx.completedAlerts. Accessed through ctx.dedupedAlerts[0].bucket_keys. |
parent_bucket_path | String | The parent bucket path of the bucket that triggered the alert. Accessed through ctx.dedupedAlerts[0].parent_bucket_path. |
Updated 10 days ago