Chain Transform for an action

I need to do two queries across two indexes in my email action, however, I cannot get the transform to save. Also I'm not sure setting up the transform, how I can call the context between the two searches without a name. The structure of the chain transform is a bit different that the chain in the input. The input has the search named. I'll enclose the email action snip in the update. It's not clear how to include formatted text in the Create a new Topic form.

		"sasha-update-ticket-email01-action": {
		"transform": {
			"chain": [{
				"search": {
					"indices": [".watcher-history-3-*"],
					"body": {
						"size": 0,
						"query": {
							"bool": {
								"must": [{
									"term": {
										"watch_id": {
											"value": "sasha-update-ticket-ext01"
										}
									}
								},
								{
									"term": {
										"state": {
											"value": "executed"
										}
									}
								},
								{
									"range": {
										"trigger_event.triggered_time": {
											"gte": "now-1h/m",
											"lte": "now/m"
										}
									}
								}]
							}
						}
					}
				}
			},
			{
				"search": {
					"indices": ["sasha-*"],
					"body": {
						"size": 10,
						"query": {
							"bool": {
								"must_not": [{
									"match_phrase": {
										"returned_xml": "Illegal Ticket State change"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Value does not fall within the limits specified for the field"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "You cannot change the state of a Closed ticketID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "No matching entry found for Subroot Cause Cd or Subroot Cause"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "TicketNum must be 15 alphanumeric"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Already ClosedID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "missing required parameters"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Invalid Functional AreaID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "must be later than Restored Time"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Already LockedID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Not FoundID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Required field cannot be reset to a NULL"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Invalid attribute values"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Resolution Error"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Descendant Processing  did not complete"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "No matching entry found for Root Cause"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "TicketNumber not foundID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "It has 1 open descendant"
									}
								}],
								"must": [{
									"term": {
										"functional_name.keyword": {
											"value": "updateTicket"
										}
									}
								},
								{
									"range": {
										"transaction_begin": {
											"gte": "now-75m",
											"lte": "now-15m"
										}
									}
								},
								{
									"match": {
										"return_condition": "true"
									}
								}]
							}
						}
					}
				}
			}]
		},
		"condition": {
			"compare": {
				"ctx.payload.hits.total": {
					"gte": 3
				}
			}
		},
		"email": {
			"profile": "standard",
			"priority": "highest",
			"to": ["nb880v@att.com"],
			"subject": "XXXXXXThe updateTicket webservice is failing in SASHA.",
			"body": {
				"html": "<p>The updateTicket webservice has been failing at an above average rate for at least 1 hour. Please run the Sasha test flow to try and determine the cause of the issue. Do not start a call to work or engage the Sasha team unless you receive a ticket from the client reporting end user impact.</p>{{#ctx.payload.hits.hits}}<hr /><strong>SASHA Session ID:</strong> {{_source.session_id}}<br /><strong>Log Server:</strong> {{_source.hostname}}<br /><strong>Variables Sent:</strong> {{_source.variables_sent}}<br /><strong>Returned XML:</strong> {{_source.returned_xml}}{{/ctx.payload.hits.hits}}<hr />"
			}
		}
	}

This is the complaint: Watcher: [parse_exception] could not parse [search] transform for watch [sasha-update-ticket-ext01]. unexpected field [indices]

you did not specify a name for each element within the inputs array. See https://www.elastic.co/guide/en/elastic-stack-overview/6.4/input-chain.html (referring to first and second)

{

"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "could not parse [chain] transform for watch [sasha-test-update-ticket]. expected an array of transform objects, but found [START_OBJECT] instead"
}
],
"type": "parse_exception",
"reason": "could not parse [chain] transform for watch [sasha-test-update-ticket]. expected an array of transform objects, but found [START_OBJECT] instead"
},
"status": 400
}

I don't think I can get the name for the elements in a chain outside the input block. According to the documentation, the transform does not have an inputs array but a chain array and it does not accept a name.

  "transform": {
    **"chain": {**

** "inputs": [**
** { "past_check": {**
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
".watcher-history-3-*"
],
"types": ,
"body": {

each of the elements in the inputs array also needs a name in order to refer it to in the payload. Something like

"input" : {
  "chain" : {
    "inputs" : [ 
      {
        "first" : {
          "simple" : { "path" : "/_search" }
        }
      },
      {
        "second" : {
          "http" : {
            "request" : {
              "host" : "localhost",
              "port" : 9200,
              "path" : "{{ctx.payload.first.path}}" 
            }
          }
        }
      }
    ]
  }
}

Now you can access the payload via ctx.payload.first and ctx.payload.second. See https://www.elastic.co/guide/en/elastic-stack-overview/6.4/input-chain.html

Attached is the entire alert. The transform in question is under the sasha-update-ticket-email01-action. The way the documentation indicates the transform is to be constructed does not allow for a name attribute to be included. It appears to me that I cannot use two searches in a transform because I cannot name them.

Well I cannot include the entire alert. It is too long. Here is the actions section.

	"actions": {
	"sasha-update-ticket01-logging-action": {
		"logging": {
			"level": "info",
			"text": "updateTicket Conditions: Execution Time: {{ctx.execution_time}} Current Poll: {{ctx.vars.xxx}} Compare Average: {{ctx.payload.week_poll.aggregations.avg_fail.value}} Current Poll Fails: {{ctx.payload.current_poll.aggregations.fandp.buckets.1.doc_count}} Current Poll Passes: {{ctx.payload.current_poll.aggregations.fandp.buckets.0.doc_count}}"
		}
	},
	"sasha-update-ticket-email01-action": {
		"transform": {
			"chain": [{
				"search": {
					"indices": [".watcher-history-3-*"],
					"body": {
						"size": 0,
						"query": {
							"bool": {
								"must": [{
									"term": {
										"watch_id": {
											"value": "sasha-update-ticket-ext01"
										}
									}
								},
								{
									"term": {
										"state": {
											"value": "executed"
										}
									}
								},
								{
									"range": {
										"trigger_event.triggered_time": {
											"gte": "now-1h/m",
											"lte": "now/m"
										}
									}
								}]
							}
						}
					}
				}
			},
			{
				"search": {
					"indices": ["sasha-*"],
					"body": {
						"size": 10,
						"query": {
							"bool": {
								"must_not": [{
									"match_phrase": {
										"returned_xml": "Illegal Ticket State change"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Value does not fall within the limits specified for the field"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "You cannot change the state of a Closed ticketID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "No matching entry found for Subroot Cause Cd or Subroot Cause"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "TicketNum must be 15 alphanumeric"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Already ClosedID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "missing required parameters"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Invalid Functional AreaID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "must be later than Restored Time"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Already LockedID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Requested Ticket Not FoundID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Required field cannot be reset to a NULL"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Invalid attribute values"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Resolution Error"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "Descendant Processing  did not complete"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "No matching entry found for Root Cause"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "TicketNumber not foundID"
									}
								},
								{
									"match_phrase": {
										"returned_xml": "It has 1 open descendant"
									}
								}],
								"must": [{
									"term": {
										"functional_name.keyword": {
											"value": "updateTicket"
										}
									}
								},
								{
									"range": {
										"transaction_begin": {
											"gte": "now-75m",
											"lte": "now-15m"
										}
									}
								},
								{
									"match": {
										"return_condition": "true"
									}
								}]
							}
						}
					}
				}
			}]
		},
		"condition": {
			"compare": {
				"ctx.payload.hits.total": {
					"gte": 3
				}
			}
		},
		"email": {
			"profile": "standard",
			"priority": "highest",
			"to": ["nb880v@att.com"],
			"subject": "XXXXXXThe updateTicket webservice is failing in SASHA.",
			"body": {
				"html": "<p>The updateTicket webservice has been failing at an above average rate for at least 1 hour. Please run the Sasha test flow to try and determine the cause of the issue. Do not start a call to work or engage the Sasha team unless you receive a ticket from the client reporting end user impact.</p>{{#ctx.payload.hits.hits}}<hr /><strong>SASHA Session ID:</strong> {{_source.session_id}}<br /><strong>Log Server:</strong> {{_source.hostname}}<br /><strong>Variables Sent:</strong> {{_source.variables_sent}}<br /><strong>Returned XML:</strong> {{_source.returned_xml}}{{/ctx.payload.hits.hits}}<hr />"
			}
		}
	}
}

oh boy, I fully misread your post and thought you are doing chain input instead of chain transforms. Let me take another look. Sorry for the confusion on my side!

It would be great if you can share the whole watch in an a gist, though!

Wish I could. The gist site does not play well with our firewall here maybe....

Secure Connection Failed

An error occurred during a connection to gist.github.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

I'll see if I can get the watch up tonight from home.

Got it up from home. https://gist.github.com/chapmantrain/8c8af5349b2597844f8f78a85bb4652b

hey,

the issue is indeed in the search transform in your email action, you are missing request field.

          {
            "search": {
              "request": {
                "indices": [
                  ".watcher-history-3-*"
                ],
                "body": {
                  ...
                  }
                }
              }
            }
          },

both chain searches do not wrap the indices and body fields within a request field.

See also https://www.elastic.co/guide/en/elastic-stack-overview/6.4/input-search.html

--Alex

But since I have two searches, how do I call the one vs the other. Like ctx.payload.name??? Can I even run two searches in the transform chain?

"transform": {
			"chain": [{
				"search": {
					"request": {
						"indices": [".watcher-history-3-*"],
						"body": {
							...
						}
					}
				}
                },
                {
                    "search": {
                        "request": {
                            "indices": ["sasha-*"],
                            "body": {
                                ...
                            }
                        }
                    }
                }
            ]
       }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.