Escape '}' curly brackets in field results #1430
-
Hello, I have the following rule:
This works 90% of the time, and it will result in something like this - which will be send by email to an analyst: process.name: Sometimes though, the value of "process.args" field will be too complex, and there's going to be '{' curly brackets in the field, and Elastalert won't like it, like this one: process.name: Here's the error message Elastalert gives: I'm using Elastic Defend integration, and I can't decide what it's going to put in the fields. I would like a way to tell Elastalert to handle the values it pulls from Elasticsearch for the fields properly, even if there's curly brackets in them. Do you have any idea how I can resolve this problem? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
You can add an enhancement to the ElastAlert2 deployment, which will replace all problematic chars with something to avoid the problem. Ex: There may be other ways to solve it, such as escaping the curl braces. |
Beta Was this translation helpful? Give feedback.
You can add an enhancement to the ElastAlert2 deployment, which will replace all problematic chars with something to avoid the problem. Ex:
match['process.args'].replace("{", "_CURLY_")
. The enhancement will execute and update the arg string before the alert attempts to format and send the email.There may be other ways to solve it, such as escaping the curl braces.