Can't get ctx.payload.hits.hits.index.fields.fieldname to work

alerting

(chris ray) #1

Hi,

I am trying to get some data from the returned query results into my web hook action but I cant get it to work. The bellow is a simple example I came up with to test out what I wanted to do. ctx.payload.hits.hits.0.fields.message should be returning a hostname to me but it returns nothing.

I have tried hardcoding the hostname in place of the ctx..payload... so I know everything reaches my api fine. What am I doing wrong?

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
  "trigger" : { "schedule" : { "interval" : "10s" } },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "match" : { "message": "WIN7-64-VM" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "my_webhook": {
        "webhook": {
            "method": "POST",
            "host": "myhostname",
            "port": 8080,
            "path": "/myapp/api",
            "headers" : {
                "Content-Type": "application/json",
                "Accept": "application/json"
            },
            "body": "{ \"hostName\": \"{{ctx.payload.hits.hits.0.fields.message}}\", \"userId\": \"test\"}"
        }
    }
  }
}'

I am trying to retrieve the "message" field from my logs for level "ERROR"
(Martijn Van Groningen) #2

I think you need to use the following instead:
ctx.payload.hits.hits.0._source.message

Unless you specifically ask the _search api to include stored fields in each hit, fields will be empty. By default the _search api does return the source of a hit as was provided during indexing.


(chris ray) #3

You are correct, the recommendation you made works. Thanks so much Martijn!


(Chris) #4

Hey @mvg , this also worked for me. Is there any in depth documentation for features like this? How do you come to these conclusions? Thanks in advance, Chrome.


(Alexander Reelsen) #5

Hey,

Netx time, can you open a new thread for those questions, please. Reviving threads that are almost 1.5 years old might become off-topic really quick.

What Martijn did here, was just checking out the JSON format of the search response and walking through it by using a dot as a field separator.

The syntax above is mustache, which is documented in Elasticsearch core in search templates. You might also want to check out the official mustache docs.

If you have more concrete questions, feel free to ask!

--Alex


(Chris) #6

Thanks @spinscale . I will open a new thread next time if the thread I referencing is old to ask questions.


(system) #7