MISSING VALUE in alert

[SerhiiZahuba]

Hello. I have this rule in my config

name: MKT Brut

# Alert on x events in y seconds
type: frequency

# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# num_events must occur within this amount of time to trigger an alert
timeframe:
  minutes: 2

# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
    query_string:
      query: "failure"

index: mkt-*

# When the attacker continues, send a new alert after x minutes
realert:
  minutes: 1

query_key:
  - src.ip

include:
  - hostname
  - source.ip

include_match_in_root: true

#alert_subject: "MKT BRUT on <{}>>"
#alert_subject_args:
#  - host.hostname
alert_text: |-
  An attack on {} is detected.
  The attacker looks like:
  User: {}
  IP: {}
  Type: {}
  Message: {}
  Hostname: {}
  Host: {}
  Tags: {}
  Type: {}
  User: {}
alert_text_args:
  - host
  - user
  - src_ip
  - src_type
  - message
  - hostname
  - host
  - tags
  - type
  - user
# The alert is use when a match is found
alert:
  - debug

# Alert body only cointains a title and text
alert_text_type: alert_text_only

but in lert i see

[mrfroggg]

I'm not using frequency type often, so I can be wrong, but I use a lot spike and flatline:

Not all field from ES are available when there is a match as it counts a number of documents and based on the query_key.

you are using include, this might be why "hostname" is included in there.

Work around: try to add more fields to include, but in my experience, include is useless with spike and flatline.
Or, add your needed fields to the query_key. This will make a unique match based from all those field contents, so be careful, it might affect your matches.

Other workaround, you are using a frequency of 1 event (num_events), what if you try a rule with the any type? All fields are available with any, as it will create a match for everything that match your query!

[SerhiiZahuba]

Sorry I had a configuration error. Everything is already working.