Enrich description field with dynamic alert values

[rschirin]

Hey there,
I am trying to understand and investigate if it is possible add into description field of any rule's configuration yaml file, a dynamic field. Basically, exactly what is already possible to do with the fields alert_text and alert_text_args.
i.e.

...
name: event_spike_test
description: "This rule is something that will check this and that on project {{0}}"
description_args: 
- resource.labels.project_id.keyword
...

is there any smooth way to do that? alternatively, can I use enhancement method? @jertel I saw your answer here #1441 (reply in thread)

[jertel]

The rule description field is a static field so no, it doesn't support the syntax you pasted above. What are you trying to do with the description? If you're trying to insert dynamic meta data into the elastalert_* indices upon an alert triggering, then you might be able to write a similar enhancement to the one you linked. But keep in mind you'd be modifying the actual description field on the rule object, so all future alerts would have that modified rule description. In otherwords, you couldn't do something like this in your enhancement:

self.rule["description"] = self.rule["description"].replace("{{0}}", match["some_field"])

Instead your enhancement would need to have the original description pattern string. Ex:

template = "This rule is something that will check this and that on project {{0}}"
self.rule["description"] = template.replace("{{0}}", match["some_field"])

[rschirin]

I am trying to create this kind of enhancement but not sure how to address exactly.
In this command:
self.rule["description"] = template.replace("{{0}}", match["some_field"])

I have to fill properly the match["some_field"] but how can I get the value from source document?
The match dictionary is the content of match_body.* stored into elastalert index. So how can I access to souce documents that trigger alert?

[jertel]

The source data should be in the match, unless the alert was a pending alert. Dump the match dict to console so you can see all of the fields.

[rschirin]

I am trying something to debug the issue so I am using this dummy command:

from elastalert.enhancements import BaseEnhancement
class MyEnhancement(BaseEnhancement):
    def process(self, match):
        match["severity"] = self.rule["severity"]
        self.rule["description"] = match['alert_info.type']

The severity assignment is working fine, while the second ends with this error:

ERROR:elastalert:Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 1304, in alert
    return self.send_alert(matches, rule, alert_time=alert_time, retried=retried)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 1356, in send_alert
    enhancement.process(match)
  File "/opt/elastalert/mod/enricher.py", line 7, in process
    self.rule["description"] = match['alert_info.type']
                               ~~~~~^^^^^^^^^^^^^^^^^^^

I am not able to access any of the match.* field

[jertel]

You might need to use the lookup_es_key() method in the elastalert util package if you're trying to fetch nested fields. Dumping the match dict to console helps you visualize whether the keys you're looking at are nested or not.

[rschirin]

Ok, I am using this snippet code:

from elastalert.enhancements import BaseEnhancement
from elastalert.util import lookup_es_key

template = "This rule is something that will check this and that on project {{0}}"
class MyEnhancement(BaseEnhancement):

    def process(self, match):
        match["severity"] = self.rule["severity"]
        fieldValue = lookup_es_key(match, "agent.name")
        self.rule["description"] = template.replace("{{0}}", fieldValue)

but it seems it doesn't work since I cannot see the description field into the alert document.
if I add also the following line it add a new match_body field named description.

match["description"] = self.rule["description"]

I feel so close to the solution but not enough

[jertel]

Are you setting add_metadata_alert to True?