How to remove remove _id, _index, _type, num_matches, num_hits and @timestamp from elastialert rules file

Hi All,

I have install ELK in my laptop and after that i configure elastialert for triggering email like issue coming into docker container so it will trigger an email to my gmail account for that i setup rules.yml file in kibana plugin of elastialert after that it send an email which u can see above one content in that email i want to remove which i have mention above word. Only Message should show in my email whenever it trigger How to do it, Please do let me ASAP

Below is the content which im getting in my gmail inbox. I want to

remove _id, _index, _type, num_matches, num_hits and @timestamp 

all this only i want message to be include in my email triggering everytime.

Below is getting into gmail inbox

@timestamp: 2021-05-24T11:16:06Z
_id: 2S0WnnkBz7SOxaiw1TZk
_index: logstash-2021.05.24
_type: _doc
message: <30>May 24 11:16:06 fx-prod-1 prod_fx-control-plane.1.knel5yam 2021-05-24 11:16:06.926 INFO 1 --- [nio-8080-exec-9] : Find Latest by job id [8a8089ba777311370177734530902ec8] org [8a8081066e02d6a2016e04eacd2005c7] principal [8a808155647d283a01647d7c5e0d07ba]
num_hits: 8
num_matches: 1


Here is the rules.yaml file which i used to trigger email for issue

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host:

# (Optional)
# Elasticsearch port
#es_port: 14900
es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
es_username: testelastic
es_password: xxxx

# (Required)
# Rule name, must be unique
name: Exception Alert

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
#type: blacklist
type: any
include: ["message"]

# (Required)
# Index to search, wildcard supported
#index: logstash*
index: filebeat*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
#num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
#  hours: 1
#  minutes: 1
  seconds: 1

#compare_key: "message"


#- "error"

  minutes: 5

 # This is send out all matches in one email
# aggregation:
#  minutes: 1

#  seconds: 0
#- term:
#    message: "[error]"

# - match:
 #   message: "job"

 - query:
 #       query: "message: exception AND  message: control"
        query: "message: job"
#- query:
#   query_string:
#    query: "message: error"


- "slack"
- "email"

#- slack
slack_webhook_url: ""
#slack_username_override: "ElastAlert"
slack_username_override: "Mohd Rashid"

#- email
email: [""]
smtp_host: ""
smtp_port: "587"
from_addr: ""

How to do it, Please do let me ASAP

Hi @MohdRashid01,

If you’re asking how to use the piece of software that you found in a repository on GitHub, the best way to contact the maintainers of that software is to:

  • Check the README for instructions on how to operate the software, pointers to documentation or troubleshooting info.
  • Check the SUPPORT file, if one exists for instructions on how to best contact the maintainers for support.
  • Check the CONTRIBUTING guide, if one exists. Sometimes if there isn’t a SUPPORT file, the CONTRIBUTING guide will give instructions on how to contact the maintainers for support.

All of these documents can be found, if they exist, in the repository where you found the software itself.

I hope that helps!