Fix sending aggs and matched fields

core/lib/rules.py

@@ -310,7 +310,6 @@ class NotificationRuleData(object):
         """
         new_aggs = {}
         for agg_name, agg in aggs.items():
-            # Already checked membership below
             if agg_name in self.aggs:
                 op, value = self.aggs[agg_name]
                 new_aggs[agg_name] = f"{agg['value']}{op}{value}"
@@ -382,7 +381,9 @@ class NotificationRuleData(object):
         # We hit the return above if we don't need to notify
         meta["matched"] = self.format_matched(message)
         if "aggs" in meta:
-            meta["matched"] = self.format_aggs(meta["aggs"])
+            aggs_formatted = self.format_aggs(meta["aggs"])
+            if aggs_formatted:
+                meta["matched_aggs"] = aggs_formatted
 
         rule_notify(self.object, index, message, meta)
         self.store_match(index, message)
@@ -414,8 +415,9 @@ class NotificationRuleData(object):
             pass
 
         # We hit the return above if we don't need to notify
-        if "aggs" in meta and "matched" not in meta:
+        meta["matched"] = self.format_matched(message)
-            meta["matched"] = self.format_aggs(meta["aggs"])
+        if "aggs" in meta:
+            meta["format_aggs"] = self.format_aggs(meta["aggs"])
         rule_notify(self.object, index, message, meta)
         self.store_match(index, message)
         self.ingest_matches_sync(index, message, meta, mode)