Getting the current time - 1 hour when an alert is raised

[K0WALSKl]

Hi!

I'm still quite new in Elastalert & the ELK Stack in general so my question and my way of dealing with the problems I encountered may be dumb, please tell me if this is the case. 😄

Ok so right now I have a metric_aggregation rule that sends an email with a link that redirects to a specific Kibana's dashboard.
Right now the dashboard has the filter time:(from:now-1h,to:now)) in the url but I would like to has someting like this : time(from:'2021-09-03T04:08:52.000Z',to:'2021-09-03T05:08:52.000Z')).

In order to do this I've changed the "email.py" file so I can replace the substrings @@time@@ and @@time-1@@ by the current time minus one hour.

It works but It feels terribly wrong, so I've written this painless script from the Kibana DevTool Interface :
ZonedDateTime.ofInstant(Instant.ofEpochMilli(new Date().getTime()), ZoneId.of('Etc/GMT-4')).minusHours(1);

I believe this is a better way to do this, but now I don't really know how to integrate this script to my configuration file. I would like to add this to the alert_text_args in order to juste use {1} instead of @@time@@.

Is that even possible ?
Is there a cleaner way to get these modified dates in Elastalert ?

Thank you very much in advance for your help! 🙏

[jertel]

From what you're describing I believe the enhancements feature is what you should be using. This will allow you to modify the alert text without having to manually fix your custom email.py after every ElastAlert2 upgrade.

If you're confident that there's a way to pass your painless script to Kibana via a URL parameter then I suggest asking that specific question on the Elastic forums.

[K0WALSKl]

This is exactly what i'm looking for, thank you so much!!