Conditional string message of a Watch

rowish · October 25, 2021, 5:03pm

I am wondering if there is possible to embed in a watch such a mechanism that will use a sort of variable to determine the string in the email message of the action based on the chain input data.

Specifically, instead of two separate watches doing a complementary search in their input, I would like to combine them in a single watch and generate the email message according to which bucket has met the merged execution condition.

The code bellow includes a placeholder for the mentioned message.

{
  "trigger": {
    "schedule": {
      "cron": "0 0 * * * ?"
    }
  },
  "input": {
    "chain": {
      "inputs": [
        {
          "production": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "messages_production"
                ],
                "rest_total_hits_as_int": true,
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": {
                        "range": {
                          "@timestamp": {
                            "gte": "now-1h",
                            "lte": "now"
                          }
                        }
                      },
                      "must": [
                        {
                          "query_string": {
                            "query": "status: success",
                            "analyze_wildcard": true
                          }
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        },
        {
          "conformance": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "messages_conformance"
                ],
                "rest_total_hits_as_int": true,
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": {
                        "range": {
                          "@timestamp": {
                            "gte": "now-1h",
                            "lte": "now"
                          }
                        }
                      },
                      "must": [
                        {
                          "query_string": {
                            "query": "status: success",
                            "analyze_wildcard": true
                          }
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      ]
    }
  },
  "condition": {
    "script": {
      "source": "return (ctx.payload.production.hits.total == 0) || (ctx.payload.conformance.hits.total == 0)",
      "lang": "painless"
    }
  },
  "actions": {
    "send_email": {
      "throttle_period_in_millis": 3600,
      "email": {
        "profile": "standard",
        "to": [
          "monitoring@test.com"
        ],
        "subject": "{{ctx.metadata.name}}",
        "body": {
          "text": """Application: Oracle Management
Summary: Missing events in last hour
Severity: Medium
Environment: [placeholder]"""
        }
      }
    }
  }
}

Basically, if the production bucket lacks data, then the "Environment:" field will read "production", if the conformance bucket lacks data, the field will read "conformance", and if both do lack data, then the field will read "production and conformance".

system · November 22, 2021, 5:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.