host.ip <Missing Value>

[sucremad]

Hi,

I'm trying to write alert text with arguments, I cannot use host.ip[0] even though I can use host.hostname. It says "<MISSING VALUE>"

alert_text: |-
    - Date/Time: {0}
    - Host: {1}
    - IP: {2}
alert_text_args:
  - "@timestamp"
  - host.hostname
  - host.ip[1]

OUTPUT:

- Host: computer
- IP: <MISSING VALUE>

the data:

 "host": {
      "hostname": "computer",
      "os": {
        "build": "value",
        "kernel": "value",
        "name": "value",
        "type": "windows",
        "family": "value",
        "version": "10.0",
        "platform": "value"
      },
      "ip": [
        "ipv6",
        "ipv4"
      ],

How can I output the IP?

thanks in advance

[jertel]

Your syntax looks correct. In fact we now have a unit test that proves this syntax works. See this commit: 759f19f

Since yours isn't working I suspect two possible problems:

1. The ip value is not actually a list. You will need to enable debug logging and view the result records coming back from Elasticsearch to confirm this.
2. or, there is another field in your result records with a similar name, such as host.ip. I think this is unlikely but I wanted to mention it just in case you spot something like this in your results.

[sucremad]

When I write in alert_text_args it works normally and says missing value. But if wrote it in alert_text as - IP: {host.ip[1]} or {host[ip][1]} it gives this error:

elastalert_error - {'message': "Uncaught exception running rule Rulename: 'host'", 'traceback': ['Traceback (most recent call last):', '  File "/var/opt/python/3.10.4/lib/python3.10/site-packages/elastalert2-2.4.0-py3.10.egg/elastalert/elastalert.py", line 1298, in alert', '    return self.send_alert(matches, rule, alert_time=alert_time, retried=retried)', '  File "/var/opt/python/3.10.4/lib/python3.10/site-packages/elastalert2-2.4.0-py3.10.egg/elastalert/elastalert.py", line 1363, in send_alert', '    alerter.alert(matches)', '  File "/var/opt/python/3.10.4/lib/python3.10/site-packages/elastalert2-2.4.0-py3.10.egg/elastalert/alerters/debug.py", line 16, in alert', '    elastalert_logger.info(str(BasicMatchString(self.rule, match)))', '  File "/var/opt/python/3.10.4/lib/python3.10/site-packages/elastalert2-2.4.0-py3.10.egg/elastalert/alerts.py", line 120, in __str__', '    self._add_custom_alert_text()', '  File "/var/opt/python/3.10.4/lib/python3.10/site-packages/elastalert2-2.4.0-py3.10.egg/elastalert/alerts.py", line 57, in _add_custom_alert_text', '    alert_text = alert_text.format(*alert_text_values)', "KeyError: 'host'"], 'data': {'rule': 'RuleName'}}

[jertel]

You should stick with the first approach, using alert_text_args and view the debug logs to understand why it cannot locate the host.ip field.

[sucremad]

executed via --debug argument but no errors or anything useful in the console logs. Where should I check?

[jertel]

You're looking for the actual elasticsearch response. It will look like a big blob of JSON and contain all the fields and values that you're interested in.