diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dcbeceb..f75a6837 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ## Other changes - Update setup.py & requirements.txt & requirements-dev.txt - [#1316](https://github.com/jertel/elastalert2/pull/1316) - @nsano-rururu +- [Docs] Clarify how to reference query_key values in flatline alerts - [#1320](https://github.com/jertel/elastalert2/pull/1320) - @jertel # 2.15.0 diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index 92ac80b2..26709a44 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -1411,7 +1411,7 @@ default 50, unique terms. ``terms_size``: When used with ``use_terms_query``, this is the maximum number of terms returned per query. Default is 50. ``query_key``: With flatline rule, ``query_key`` means that an alert will be triggered if any value of ``query_key`` has been seen at least once -and then falls below the threshold. +and then falls below the threshold. To reference the query_key value within a flatline alert message, use ``key`` as the field name. ``forget_keys``: Only valid when used with ``query_key``. If this is set to true, ElastAlert 2 will "forget" about the ``query_key`` value that triggers an alert, therefore preventing any more alerts for it until it's seen again.