I have a more complex issue.
With a watcher checking the alert index for assigned and open alerts I want to forward the alert id, index and assignee id to an external webhook. The issue is that I can't resolve the indiviual hit to give me back the assigne id. Based on all the topics I could find and other information/documentation this doesn't work because the field gets returned flattened and therefore mustache can't reach it as it handles everything with a period (.) as an individual field.
Does anyone have a solution for me to get the alert without flattened fields or a way for mustache to read a field with a period (.)
A solution I could think of was if the parent fields of workflow_assignee_ids would be typed as objects. But that change would have to be done by elastic or otherwise it would stop existing every time elastic get's updated as it comes from a managed component template.
Otherwise the only resolution would be to get the alert from elastic again using the index and id.
My Watcher
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
".internal.alerts-security.alerts-default*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 500,
"query": {
"bool": {
"must": [
{
"match": {
"kibana.alert.workflow_status": "open"
}
},
{
"exists": {
"field": "kibana.alert.workflow_assignee_ids"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"action_name": {
"foreach": "ctx.payload.hits.hits",
"max_iterations": 500,
"webhook": {
"scheme": "https",
"host": "hostname",
"port": 443,
"method": "post",
"path": "webhook_url",
"params": {},
"headers": {
"Content-Type": "application/json"
},
"auth": {
"basic": {
"username": "username",
"password": "password"
}
},
"body": """ {"id":"{{ctx.payload._id}}","index": "{{ctx.payload._index}}","user_uuid": "{{ctx.payload._source.kibana.alert.workflow_assignee_ids}}"}"""
}
}
}
}
The watcher execution action body
"body": " {
\"id\":\"777777777777777777777777777777777777777777777777777\",
\"index\": \".internal.alerts-security.alerts-default-000012\",
\"user_uuid\": \"\"}"
The result when running the query through the console (with some obvious removals):
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 1.3215836,
"hits": [
{
"_index": ".internal.alerts-security.alerts-default-000012",
"_id": "777777777777777777777777777777777777777777777777777",
"_score": 1.3215836,
"_source": {
"kibana.alert.workflow_assignee_ids": [
"workflow_assignee_ids"
],
"orchestrator.namespace": "open"
}
}
]
}
}