Is it possible to dynamically set fields within a rule based on the output of the ELK query?

Question

Is it possible to dynamically set fields within a rule based on the output of the ELK query?

Opened this issue a month ago · 0 comments

I currently have an alert that runs an ELK query, and then alerts team A if the number of events exceeds a threshold. This query spans across multiple databases, which belong to other teams, like team B/C/D... However, I would like to know if it is possible to configure a single Elastalert rule to dynamically route an alert to a respective team based on the output of ELK query.

For example, if the alert fires for a given database abcde, I would like to route that directly to team ABCDE (using Opsgenie, so that would look like dynamically setting the value for alert.opsgenie.opsgenie_tags).

Is this possible?