Alert Static Payload

[aclowkey]

I'm looking for a way to add static fields for all of my ElastAlert alerts.

Perhaps something similar to http_post_static_payload, but which will add the static payload to all documents, rather than just the post.
And have those available in the all of the alerts as if they were in the documents that have matched.

This would be useful in my scenario. Where I have multiple deployments of ElastAlert, each having some static values to distinguish it from other deployments.
Also having extra metadata for the alert without modifying the actual elastic data could also be useful.

Example

name: First ElastAlert
type: # Doesn't matter (?)
index: alex_index-*
filter:
- query:
    query_string:
      query: "yes"
# Add static payload to all matches
static_payload:
  my_extra_key: value

[nsano-rururu]

I don't think there is a way to add a static field to every ElastAlert2 alert.

For example, in the case of Twilio, it's just the rule name, twilio_to_number, and twilio_message_service_sid. At this point, not all alerts are possible.
https://github.com/jertel/elastalert2/blob/master/elastalert/alerters/twilio.py#L28

                client.messages.create(body=self.rule['name'],
                                       to=self.twilio_to_number,
                                       messaging_service_sid=self.twilio_message_service_sid)

[nsano-rururu]

I think we should provide information about which alert to use

[ferozsalam]

I'm not sure I understand exactly what you're looking to do, but depending on the alerter I think it might be possible.

With this rule:

name: First ElastAlert
type: # Doesn't matter (?)
index: alex_index-*
filter:
- query:
    query_string:
      query: "yes"
# Add static payload to all matches
static_payload: test

You can use the alert_text and alert_text_args arguments like so to get the static_payload value:

alert_text: "payload: {0}"
alert_text_args:
  - static_payload

In this case, the alert_text would be payload: test if the alerter builds its message body using the built-in ElastAlert functionality - most of the alerters do. I think this is what you are looking for?

N.B - ElastAlert prioritises the match data over the rule data, so if you have a static_field data in your matched record, that would appear in the alert rather than the value in your rule definition.

In addition, in some cases, as @nsano-rururu mentioned, alerters don't build their message bodies using the alert_text field, so they might not support this type of static payload. It depends on the alerters you are using.

[aclowkey]

The idea is to add metadata which can be used in the template.
And the example with alert_text_args seems to be the way to go! If the alerter supports it of course.

[aclowkey]

Yeah but seems that the slack title isn't templated.
I wanted to have it to be the name of the rule.

[ferozsalam]

What is the title you are currently seeing? We don't provide a custom title in our rules and by default it's the name of the rule

[aclowkey]

I didn't run I just read the docs. Now I see it's by default the rule name.
But unfortunately, it cannot be templated like alert_text.

slack_title: "{{severity }} {{ my_other_field }}"
slack_title_link: "my_link/{{id}}"

[aclowkey]

Maybe I can find a workaround for the 4 alerts that I use?
Slack - Doesn't seem to be template at all?
PagerDuty - Seems possible with @ferozsalam suggestion
Post - has built in support
Email - use the rule configuration in the jinja template

dummy:
  k: v
alert_text: |
  {{ dummy["k"] }}

[ferozsalam]

The Slack alerter definitely supports alert_text and alert_text_args - we use it internally in my organisation.

[aclowkey]

Ohh great!

[aclowkey]

I see it's also possible to use custom python class to modify matches as "enhancements"
https://elastalert2.readthedocs.io/en/latest/recipes/adding_enhancements.html#enhancements