Can't get a field from the ctx.payload in Kibana watcher

Preetiv · March 19, 2018, 5:12am

I am setting up a watcher in Kibana and the watcher needs to extract different fields from the ctx.payload.
So I tried this for extracting message field from the first hit

{{ctx.payload.hits.hits.0._source.message}}

This gave me an error
"actions": [
{
"id": "notify-slack",
"type": "slack",
"status": "failure",
"reason": "GeneralScriptException[Error running inline script [Message is {{ctx.payload.hits.hits.0._source.message}}] using lang [mustache]]; nested: MustacheException[Failed to get value for ctx.payload.hits.hits.0._source.message @[query-template:1]]; nested: MustacheException[0 @[query-template:1]]; nested: IndexOutOfBoundsException[0]; "
}

How can I extract the message field from this JSON response?

chrisronline · March 19, 2018, 1:07pm

Hi @Preetiv,

That syntax looks right to me. Can you show me the rest of the watch, and a sample of the data from the input?

Preetiv · March 19, 2018, 4:06pm

Hi @chrisronline ,
My watch looks like this:

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "\"k8s\"",
                    "analyze_wildcard": true
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-60m"
                    }
                  }
                }
              ],
              "must_not": []
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "notify-slack": {
      "slack": {
        "account": "alerts-test",
        "message": {
          "from": "testbot",
          "to": [
            "#alerts-test"
          ],
          "text": "TEST watch context",
          "attachments": [
            {
              "color": "danger",
              "title": "TEST - Parse watch context ",
              "text": "Message is {{ctx.payload.hits.hits.0._source.message}}"
            }
          ]
        }
      }
    }
  }
}

And the simulation output is:

    "condition": {
      "type": "compare",
      "status": "success",
      "met": true,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 1750671
        }
      }
    },
    "actions": [
      {
        "id": "notify-slack",
        "type": "slack",
        "status": "failure",
        "reason": "GeneralScriptException[Error running inline script [Message is {{ctx.payload.hits.hits.0._source.message}}] using lang [mustache]]; nested: MustacheException[Failed to get value for ctx.payload.hits.hits.0._source.message @[query-template:1]]; nested: MustacheException[0 @[query-template:1]]; nested: IndexOutOfBoundsException[0]; "
      }
    ]
  },
  "messages": []
}

Preetiv · March 19, 2018, 10:55pm

The 'size' of the 'body' in 'input' section was wrongly set to '0' and hence the issue.
Changed it to 10 and it worked.

chrisronline · March 20, 2018, 1:11pm

Great! Glad you figured it out!

Topic		Replies	Views
Can't get ctx.payload.hits.hits.index.fields.fieldname to work Elasticsearch elastic-stack-alerting	6	8004	July 6, 2017
Extract certain watcher fields Kibana	4	1626	May 13, 2020
Cant understand watcher keywords Elasticsearch elastic-stack-alerting	6	613	August 20, 2018
Watcher working once, but not more Kibana	2	400	December 16, 2019
Iterate over payload fields in Slack action Elasticsearch elastic-stack-alerting	2	2206	July 6, 2017

Can't get a field from the ctx.payload in Kibana watcher

Related topics