Can't get ctx.payload.hits.hits.index.fields.fieldname to work

crayy8 · July 13, 2015, 6:52pm

Hi,

I am trying to get some data from the returned query results into my web hook action but I cant get it to work. The bellow is a simple example I came up with to test out what I wanted to do. ctx.payload.hits.hits.0.fields.message should be returning a hostname to me but it returns nothing.

I have tried hardcoding the hostname in place of the ctx..payload... so I know everything reaches my api fine. What am I doing wrong?

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
  "trigger" : { "schedule" : { "interval" : "10s" } },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "match" : { "message": "WIN7-64-VM" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "my_webhook": {
        "webhook": {
            "method": "POST",
            "host": "myhostname",
            "port": 8080,
            "path": "/myapp/api",
            "headers" : {
                "Content-Type": "application/json",
                "Accept": "application/json"
            },
            "body": "{ \"hostName\": \"{{ctx.payload.hits.hits.0.fields.message}}\", \"userId\": \"test\"}"
        }
    }
  }
}'

mvg · July 14, 2015, 9:24am

I think you need to use the following instead:
ctx.payload.hits.hits.0._source.message

Unless you specifically ask the _search api to include stored fields in each hit, fields will be empty. By default the _search api does return the source of a hit as was provided during indexing.

crayy8 · July 14, 2015, 1:04pm

You are correct, the recommendation you made works. Thanks so much Martijn!

chromechris · October 28, 2016, 5:37pm

Hey @mvg , this also worked for me. Is there any in depth documentation for features like this? How do you come to these conclusions? Thanks in advance, Chrome.

spinscale · October 31, 2016, 7:03am

Hey,

Netx time, can you open a new thread for those questions, please. Reviving threads that are almost 1.5 years old might become off-topic really quick.

What Martijn did here, was just checking out the JSON format of the search response and walking through it by using a dot as a field separator.

The syntax above is mustache, which is documented in Elasticsearch core in search templates. You might also want to check out the official mustache docs.

If you have more concrete questions, feel free to ask!

--Alex

chromechris · November 14, 2016, 8:33pm

Thanks @spinscale . I will open a new thread next time if the thread I referencing is old to ask questions.