Removing fields with the <MISSING VALUE>

[VirusProtect]

Hi,

I'm encountering an issue where some alerts sometimes have specific fields while other times they do not. When a field is missing, the alert displays . I wrote the following enhancement:

from elastalert.enhancements import BaseEnhancement

class Enhancement(BaseEnhancement):
    def process(self, match):
        def update_text_and_args(rule_key, text_key):
            text_args = self.rule.get(rule_key, [])
            text = self.rule.get(text_key, "")
            fields_to_remove = [i for i, field in enumerate(text_args) if field not in match]
            for i in sorted(fields_to_remove, reverse=True):
                del text_args[i]
                parts = text.split(f"{{{i}}}")
                if len(parts) > 1:
                    prefix = parts[0].rsplit("\n", 1)[-1]
                    suffix = parts[1].split("\n", 1)[0]
                    text = text.replace(f"{prefix}{{{i}}}{suffix}", "").replace("  ", " ").strip()
            for old_index in sorted(fields_to_remove):
                for current_index in range(old_index + 1, len(text_args) + len(fields_to_remove)):
                    text = text.replace(f"{{{current_index}}}", f"{{{current_index - 1}}}")
            self.rule[rule_key] = text_args
            self.rule[text_key] = text

        update_text_and_args('alert_text_args', 'alert_text')
        update_text_and_args('description_args', 'description')

For some alerts, this enhancement works by updating alert_text and alert_text_args, but it does not change description and description_args. Additionally, for some alerts, it does not work at all.

Is there any other way to achieve this goal?