How to merge messages form hits?

[evanzhang87]

    num_events: 1
    timeframe:
      minutes: 5

Hi, I use this config, it runs every 5 minutes, and when hits > 1, it will send an alert, but it's alert_text just contain the first hit's data. When I get more than 1 hits, how to merge data from every hit?

[jertel]

First, you didn't provide the full rule config so I'm going blind here. Is it a frequency rule?

Second, you state that you want an alert only when hits > 1. But you have num_events set to 1, which means it will alert when hits >= 1.

What do you mean by "merge data"? If your rule finds 10,000 matches, are you wanting to blast 10,000 lines of event data in your alert message? Or are you wanting to sum or average a specific numeric field?

[evanzhang87]

Yes, It's a frequency rule.
If my rule finds 10000 matches, I hope send 10000 alert, is that possible?
I just want to know every doc which triggered alert, that's why I set num_event: 1.

BTW, I found a variable processed_hits, will that be useful for me ?

[jertel]

This is answered in the FAQ.

[evanzhang87]

Thanks~