Opensearch discover link support

CHANGELOG.md

@@ -5,7 +5,7 @@
 
 ## New features
 - [Iris] Alerter added - [#1301](https://github.com/jertel/elastalert2/pull/1301) - @malinkinsa 
-
+- [Opensearch] Add the possibility to generate an opensearch discovery url - [#1310](https://github.com/jertel/elastalert2/pull/1310)
 ## Other changes
 - Refactored FlatlineRule to make it more extensible - [#1291](https://github.com/jertel/elastalert2/pull/1291) - @rundef 
 - Add support for Kibana 8.11 for Kibana Discover - [#1305](https://github.com/jertel/elastalert2/pull/1305) - @nsano-rururu

docs/source/ruletypes.rst

@@ -70,6 +70,8 @@ Rule Configuration Cheat Sheet
 +--------------------------------------------------------------+           |
 | ``generate_kibana_discover_url`` (boolean, default False)    |           |
 +--------------------------------------------------------------+           |
+| ``generate_opensearch_discover_url`` (boolean, default False)|           |
++--------------------------------------------------------------+           |
 | ``shorten_kibana_discover_url`` (boolean, default False)     |           |
 +--------------------------------------------------------------+           |
 | ``kibana_discover_app_url`` (string, no default)             |           |
@@ -86,6 +88,22 @@ Rule Configuration Cheat Sheet
 +--------------------------------------------------------------+           |
 | ``kibana_discover_to_timedelta`` (time, default: 10 min)     |           |
 +--------------------------------------------------------------+           |
+| ``shorten_kibana_discover_url`` (boolean, default False)     |           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_app_url`` (string, no default)         |           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_version`` (string, no default)         |           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_index_pattern_id`` (string, no default)|           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_security_tenant``  (string, no default)|           |
++--------------------------------------------------------------+           |
+|``opensearch_discover_columns`` (list of strs,default _source)|           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_from_timedelta`` (time,default: 10 min)|           |
++--------------------------------------------------------------+           |
+| ``opensearch_discover_to_timedelta`` (time, default: 10 min) |           |
++--------------------------------------------------------------+           |
 | ``use_local_time`` (boolean, default True)                   |           |
 +--------------------------------------------------------------+           |
 | ``realert`` (time, default: 1 min)                           |           |
@@ -777,6 +795,118 @@ The `to` time is calculated by adding this timedelta to the event time.  Default
 
 ``kibana_discover_to_timedelta: minutes: 2``
 
+opensearch_url
+^^^^^^^^^^^^^^
+
+``opensearch_url``: The base url of the opensearch application. If not specified, a URL will be constructed using ``es_host``
+and ``es_port``.
+
+This value will be used if ``generate_opensearch_discover_url`` is true and ``opensearch_discover_app_url`` is a relative path
+
+(Optional, string, default ``http://<opensearch_host>:<opensearch_port>/_plugin/_dashboards/``)
+
+generate_opensearch_discover_url
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``generate_opensearch_discover_url``: Enables the generation of the ``opensearch_discover_url`` variable for the Opensearch Discover application.
+This setting requires the following settings are also configured:
+
+- ``opensearch_discover_app_url``
+- ``opensearch_discover_version``
+- ``opensearch_discover_index_pattern_id``
+
+``generate_opensearch_discover_url: true``
+
+Example opensearch_discover_app_url only usage for opensearch::
+
+    generate_opensearch_discover_url: true
+    opensearch_discover_app_url: "http://localhost:5601/app/data-explorer/discover?security_tenant=Admin#"
+    opensearch_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"
+    opensearch_discover_version: "2.11"
+    alert_text: '{}'
+    alert_text_args: [ opensearch_discover_url ]
+    alert_text_type: alert_text_only
+
+Example opensearch_url + opensearch_discover_app_url usage for opensearch::
+
+    generate_opensearch_discover_url: true
+    opensearch_url: "http://localhost:5601/"
+    opensearch_discover_app_url: "app/data-explorer/discover?security_tenant=Admin#"
+    opensearch_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"
+    opensearch_discover_version: "2.11"
+    alert_text: '{}'
+    alert_text_args: [ opensearch_discover_url ]
+    alert_text_type: alert_text_only
+
+opensearch_discover_app_url
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_app_url``: The url of the opensearch Discover application used to generate the ``opensearch_discover_url`` variable.
+This value can use `$VAR` and `${VAR}` references to expand environment variables.
+This value should be relative to the base opensearch url defined by ``opensearch_url`` and will vary depending on your installation.
+
+``opensearch_discover_app_url: app/discover#/``
+
+(Optional, string, no default)
+
+opensearch_discover_version
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_version``: Specifies the version of the opensearch Discover application.
+
+The currently supported versions of opensearch Discover are:
+
+- `2.11`
+
+``opensearch_discover_version: '2.11'``
+
+opensearch_discover_index_pattern_id
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_index_pattern_id``: The id of the index pattern to link to in the opensearch Discover application.
+These ids are usually generated and can be found in url of the index pattern management page, or by exporting its saved object.
+
+
+Example export of an index pattern's saved object:
+
+.. code-block:: text
+
+    [
+        {
+            "_id": "4e97d188-8a45-4418-8a37-07ed69b4d34c",
+            "_type": "index-pattern",
+            "_source": { ... }
+        }
+    ]
+
+You can modify an index pattern's id by exporting the saved object, modifying the ``_id`` field, and re-importing.
+
+``opensearch_discover_index_pattern_id: 4e97d188-8a45-4418-8a37-07ed69b4d34c``
+
+opensearch_discover_columns
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_columns``: The columns to display in the generated opensearch Discover application link.
+Defaults to the ``_source`` column.
+
+``opensearch_discover_columns: [ timestamp, message ]``
+
+opensearch_discover_from_timedelta
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_from_timedelta``:  The offset to the `from` time of the opensearch Discover link's time range.
+The `from` time is calculated by subtracting this timedelta from the event time.  Defaults to 10 minutes.
+
+``opensearch_discover_from_timedelta: minutes: 2``
+
+opensearch_discover_to_timedelta
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``opensearch_discover_to_timedelta``:  The offset to the `to` time of the opensearch Discover link's time range.
+The `to` time is calculated by adding this timedelta to the event time.  Defaults to 10 minutes.
+
+``opensearch_discover_to_timedelta: minutes: 2``
+
 use_local_time
 ^^^^^^^^^^^^^^
 

elastalert/alerters/mattermost.py

@@ -47,6 +47,9 @@ def __init__(self, rule):
         self.mattermost_attach_kibana_discover_url = self.rule.get('mattermost_attach_kibana_discover_url', False)
         self.mattermost_kibana_discover_color = self.rule.get('mattermost_kibana_discover_color', '#ec4b98')
         self.mattermost_kibana_discover_title = self.rule.get('mattermost_kibana_discover_title', 'Discover in Kibana')
+        self.mattermost_attach_opensearch_discover_url = self.rule.get('mattermost_attach_opensearch_discover_url', False)
+        self.mattermost_opensearch_discover_color = self.rule.get('mattermost_opensearch_discover_color', '#ec4b98')
+        self.mattermost_opensearch_discover_title = self.rule.get('mattermost_opensearch_discover_title', 'Discover in opensearch')
 
     def get_aggregation_summary_text__maximum_width(self):
         width = super(MattermostAlerter, self).get_aggregation_summary_text__maximum_width()
@@ -143,7 +146,17 @@ def alert(self, matches):
                     'title': self.mattermost_kibana_discover_title,
                     'title_link': kibana_discover_url
                 })
+
+        if self.mattermost_attach_opensearch_discover_url:
+            opensearch_discover_url = lookup_es_key(matches[0], 'opensearch_discover_url')
+            if opensearch_discover_url:
+                payload['attachments'].append({
+                    'color': self.mattermost_opensearch_discover_color,
+                    'title': self.mattermost_opensearch_discover_title,
+                    'title_link': opensearch_discover_url
+                })
 
+
         for url in self.mattermost_webhook_url:
             for channel_override in self.mattermost_channel_override:
                 try:

elastalert/alerters/rocketchat.py

@@ -31,6 +31,9 @@ def __init__(self, rule):
         self.rocket_chat_attach_kibana_discover_url = self.rule.get('rocket_chat_attach_kibana_discover_url', False)
         self.rocket_chat_kibana_discover_color = self.rule.get('rocket_chat_kibana_discover_color', '#ec4b98')
         self.rocket_chat_kibana_discover_title = self.rule.get('rocket_chat_kibana_discover_title', 'Discover in Kibana')
+        self.rocket_chat_attach_opensearch_discover_url = self.rule.get('rocket_chat_attach_opensearch_discover_url', False)
+        self.rocket_chat_opensearch_discover_color = self.rule.get('rocket_chat_opensearch_discover_color', '#ec4b98')
+        self.rocket_chat_opensearch_discover_title = self.rule.get('rocket_chat_opensearch_discover_title', 'Discover in opensearch')
         self.rocket_chat_ignore_ssl_errors = self.rule.get('rocket_chat_ignore_ssl_errors', False)
         self.rocket_chat_timeout = self.rule.get('rocket_chat_timeout', 10)
         self.rocket_chat_ca_certs = self.rule.get('rocket_chat_ca_certs')
@@ -92,6 +95,15 @@ def alert(self, matches):
                     'title_link': kibana_discover_url
                 })
 
+        if self.rocket_chat_attach_opensearch_discover_url:
+            opensearch_discover_url = lookup_es_key(matches[0], 'opensearch_discover_url')
+            if opensearch_discover_url:
+                payload['attachments'].append({
+                    'color': self.rocket_chat_opensearch_discover_color,
+                    'title': self.rocket_chat_opensearch_discover_title,
+                    'title_link': opensearch_discover_url
+                })
+
         for url in self.rocket_chat_webhook_url:
             for channel_override in self.rocket_chat_channel_override:
                 try:

elastalert/alerters/slack.py

@@ -36,6 +36,9 @@ def __init__(self, rule):
         self.slack_attach_kibana_discover_url = self.rule.get('slack_attach_kibana_discover_url', False)
         self.slack_kibana_discover_color = self.rule.get('slack_kibana_discover_color', '#ec4b98')
         self.slack_kibana_discover_title = self.rule.get('slack_kibana_discover_title', 'Discover in Kibana')
+        self.slack_attach_opensearch_discover_url = self.rule.get('slack_attach_opensearch_discover_url', False)
+        self.slack_opensearch_discover_color = self.rule.get('slack_opensearch_discover_color', '#ec4b98')
+        self.slack_opensearch_discover_title = self.rule.get('slack_opensearch_discover_title', 'Discover in Opensearch')
         self.slack_footer = self.rule.get('slack_footer', '')
         self.slack_footer_icon = self.rule.get('slack_footer_icon', '')
         self.slack_image_url = self.rule.get('slack_image_url', '')
@@ -141,6 +144,14 @@ def alert(self, matches):
                     'title': self.slack_kibana_discover_title,
                     'title_link': kibana_discover_url
                 })
+        if self.slack_attach_opensearch_discover_url:
+            opensearch_discover_url = lookup_es_key(matches[0], 'opensearch_discover_url')
+            if opensearch_discover_url:
+                payload['attachments'].append({
+                    'color': self.slack_opensearch_discover_color,
+                    'title': self.slack_opensearch_discover_title,
+                    'title_link': opensearch_discover_url
+                })
 
         if self.slack_attach_jira_ticket_url and self.pipeline is not None and 'jira_ticket' in self.pipeline:
             jira_url = '%s/browse/%s' % (self.pipeline['jira_server'], self.pipeline['jira_ticket'])

elastalert/alerters/teams.py

@@ -25,6 +25,8 @@ def __init__(self, rule):
         self.ms_teams_alert_facts = self.rule.get('ms_teams_alert_facts', '')
         self.ms_teams_attach_kibana_discover_url = self.rule.get('ms_teams_attach_kibana_discover_url', False)
         self.ms_teams_kibana_discover_title = self.rule.get('ms_teams_kibana_discover_title', 'Discover in Kibana')
+        self.ms_teams_attach_opensearch_discover_url = self.rule.get('ms_teams_attach_opensearch_discover_url', False)
+        self.ms_teams_opensearch_discover_title = self.rule.get('ms_teams_opensearch_discover_title', 'Discover in opensearch')
 
     def format_body(self, body):
         if self.ms_teams_alert_fixed_width:
@@ -88,6 +90,21 @@ def alert(self, matches):
                         ],
                     }
                 ]
+        if self.ms_teams_attach_opensearch_discover_url:
+            opensearch_discover_url = lookup_es_key(matches[0], 'opensearch_discover_url')
+            if opensearch_discover_url:
+                payload['potentialAction'] = [
+                    {
+                        '@type': 'OpenUri',
+                        'name': self.ms_teams_opensearch_discover_title,
+                        'targets': [
+                            {
+                                'os': 'default',
+                                'uri': opensearch_discover_url,
+                            }
+                        ],
+                    }
+                ]
 
         for url in self.ms_teams_webhook_url:
             try:

elastalert/elastalert.py

@@ -34,6 +34,8 @@
 from elastalert.enhancements import DropMatchException
 from elastalert.kibana_discover import generate_kibana_discover_url
 from elastalert.kibana_external_url_formatter import create_kibana_external_url_formatter
+from elastalert.opensearch_discover import generate_opensearch_discover_url
+from elastalert.opensearch_external_url_formatter import create_opensearch_external_url_formatter
 from elastalert.prometheus_wrapper import PrometheusWrapper
 from elastalert.ruletypes import FlatlineRule
 from elastalert.util import (add_keyword_postfix, cronite_datetime_to_timestamp, dt_to_ts, dt_to_unix, EAException,
@@ -1347,6 +1349,14 @@ def send_alert(self, matches, rule, alert_time=None, retried=False):
                 kb_link_formatter = self.get_kibana_discover_external_url_formatter(rule)
                 matches[0]['kibana_discover_url'] =  kb_link_formatter.format(kb_link)
 
+        if rule.get('generate_opensearch_discover_url'):
+            kb_link = generate_opensearch_discover_url(rule, matches[0])
+            if kb_link:
+                kb_link_formatter = self.get_opensearch_discover_external_url_formatter(rule)
+                matches[0]['opensearch_discover_url'] =  kb_link_formatter.format(kb_link)
+
+
+
         # Enhancements were already run at match time if
         # run_enhancements_first is set or
         # retried==True, which means this is a retry of a failed alert
@@ -1439,6 +1449,16 @@ def get_kibana_discover_external_url_formatter(self, rule):
             rule[key] = formatter
         return formatter
 
+
+    def get_opensearch_discover_external_url_formatter(self, rule):
+        """ Gets or create the external url formatter for Opensearch discover links """
+        key = '__opensearch_discover_external_url_formatter__'
+        formatter = rule.get(key)
+        if formatter is None:
+            formatter = create_opensearch_external_url_formatter(rule)
+            rule[key] = formatter
+        return formatter
+
     def writeback(self, doc_type, body, rule=None, match_body=None):
         # ES 2.0 - 2.3 does not support dots in field names.
         if self.replace_dots_in_field_names:

elastalert/kibana_external_url_formatter.py

@@ -157,3 +157,15 @@ def create_kibana_external_url_formatter(
         return ShortKibanaExternalUrlFormatter(base_url, auth, security_tenant, new_shortener, verify)
 
     return AbsoluteKibanaExternalUrlFormatter(base_url, security_tenant)
+
+def create_opensearch_external_url_formatter(
+    rule,
+    shorten: bool,
+    security_tenant: str,
+) -> KibanaExternalUrlFormatter:
+    '''Creates a Kibana external url formatter'''
+
+    base_url = rule.get('kibana_url')
+
+    return AbsoluteKibanaExternalUrlFormatter(base_url, security_tenant)
+

elastalert/loaders.py

@@ -331,6 +331,10 @@ def load_options(self, rule, conf, filename, args=None):
                 rule['kibana_discover_from_timedelta'] = datetime.timedelta(**rule['kibana_discover_from_timedelta'])
             if 'kibana_discover_to_timedelta' in rule:
                 rule['kibana_discover_to_timedelta'] = datetime.timedelta(**rule['kibana_discover_to_timedelta'])
+            if 'opensearch_discover_from_timedelta' in rule:
+                rule['opensearch_discover_from_timedelta'] = datetime.timedelta(**rule['opensearch_discover_from_timedelta'])
+            if 'opensearch_discover_to_timedelta' in rule:
+                rule['opensearch_discover_to_timedelta'] = datetime.timedelta(**rule['opensearch_discover_to_timedelta'])
         except (KeyError, TypeError) as e:
             raise EAException('Invalid time format used: %s' % e)