Can top_count_keys be passed to http_post_payload values?

[shahriar52]

Hi,

Just wondering if I can use the result of top_count_keys as a value of a key at http_post_payload. For example,

name: Testing rule
index: zabbix-metrics-*
top_count_keys: ["hostname"]
timeframe:
  minutes: 5

filter:
- query:
    query_string:
      query: "itemname: \"Incoming traffic on eth0\""
- range:
    itemvalue_integer:
      gte: 100000

include:
  - hostname

alert: post
http_post_url: "https://www.example.com/api"
http_post_payload:
  hosts: top_count_keys
http_post_headers:
  authorization: Basic #################

[nsano-rururu]

If top_count_keys is not the item of the target index, I think it is useless.
https://github.com/jertel/elastalert2/blob/master/elastalert/alerts.py#L1985

           for post_key, es_key in list(self.post_payload.items()):
                payload[post_key] = lookup_es_key(match, es_key)

[jertel]

When you specify top_count_keys in the rule, ES will respond back with a mapping of the top 5 hostnames and how many times that appeared in the rule match. That mapping of hostnames to counts will be stored into a match key called top_events_hostname. Based on that, in your example, if you replace hosts: top_count_keys with hosts:top_events_hostname perhaps you might get a dictionary of hosts to counts posted to your URL. I've not attempted to do this so it might not work at all.

Disclaimer: I've not used http_post alerts, nor top_count_keys. So take the above worth a grain of salt. All I'm going off of here is a quick skim through the code.

[shahriar52]

@jertel Thanks for the suggestions. Confirmed it works.