Can you Trigger Watch action for each unique result returned

crayy8 · July 14, 2015, 4:49pm

Hi,

I am wondering if it is possible to have the trigger block execute multiple times. In my example below I would like to have the webhook trigger execute for each unique hostname returned from my query results (all failed logons). The example was first designed to just grab the hostname of the first record returned from my query. I have no clue how I would go about changing my watch to accomplish what I'd like to do. I'd be greatly appreciated any help/suggestions!

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
  "trigger" : { "schedule" : { "interval" : "10s" } },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "match" : { "tags": "ad-logon-failure" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "my_webhook": {
        "webhook": {
            "method": "POST",
            "host": "myhostname",
            "port": 8080,
            "path": "/myapp/api",
            "headers" : {
                "Content-Type": "application/json",
                "Accept": "application/json"
            },
            "body": "{ \"hostName\": \"{{ctx.payload.hits.hits.0._source.message}}\", \"userId\": \"test\"}"
        }
    }
  }
}'

mvg · July 15, 2015, 11:26am

Executing an action for each found host name (or other element in the search input response) isn't possible today. I like the idea and I think Watcher should have a compound action that based on a for loop construct executes sub actions that are configured with it.

Unfortunately I don't know of a Watcher only workaround to send multiple webhook requests based on the number of elements found in an input response.

Perhaps you can send the web hook request to Logstash that is configured with an http input and do the logic there? See this blog for more info: https://www.elastic.co/blog/introducing-logstash-input-http-plugin

crayy8 · July 15, 2015, 1:13pm

Thanks I will look into the logstash method.

Any ideas on when Watcher may have some sort of looped sub actions feature?

Also, is there any way I could loop through the ctx.payload.hits.hits indexes to retrieve all the hosts and send them to my api using just one webhook action, or is there no way to loop at all?

darshandpatel · November 17, 2015, 8:12pm

Hey @crayy8,

Did you try Logstash to process the resulted records/documents?

Please let me know if you have any update on it.

Thank you.