Events using aggregation of a threshold as a trigger missing event fields data in Notification?

I’ve got an event with an associated notification (Slack). This works fine when I have “Create events for Definition if…” set to “Filter has results”.

I modified this to “Create events for Definition if…” set to “Aggregation of results reaches a threshold” – with a rule of "If count() Is >= 6. The event triggers and the notification is sent, however the notification is missing the data from the event fields. The only things that show data are ${event_definition_title} and ${event.timestamp}. If I Group by Field(s) then the notification contains the event field data for what I grouped by, ex: winlogbeat_winlog_event_data_TargetUserName

Any ideas on how to get the other event fields to contain data within the alert, other than grouping by them also (which I don’t want to do)?

Thanks!

When you say missing event fields, do you have an example of expected vs actual outcome? Or asking another way, what is missing that you are expecting to see?

Also can you share a series of steps I can use to recreate the same issue?

I’m asking so i can get a better understanding of how i can reproduce this and pass along any other helpful information to the devs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.