Metadata in Alert Rule

[MateSousa]

Is it possible to use the metadata inside the alert rule to be sent, for example, in a curl command?

E.g.

rules:
  testing: |-
    ---
    es_host: 
    es_port: 
    name: testing
    type: frequency
    index: traces-apm*,apm-*,logs-apm*,metrics-apm*
    num_events: 1
    timeframe:
      minutes: 5
    filter:
    - bool:
        must:
          - match_phrase:
               message: "testing"
    alert:
    - "command" 
    command: "curl -X POST 'url' -d '{\"title\":\"${metadata.@timestamp}\"}'"

[jertel]

Yes, it's possible. Ex:

name: any_test
type: any
index: "*"
alert: command
command: 
  - echo 
  - "*** Hello, this is the time: {@timestamp}"

output:

2024-01-30 21:36:29,288     INFO           elastalert Alert sent to Command
*** Hello, this is the time: 2024-01-31T02:21:54.157771Z
2024-01-30 21:36:29,301    DEBUG urllib3.connectionpool http://127.0.0.1:9200 "POST /elastalert/_doc HTTP/1.1" 201 164

[MateSousa]

Thanks !