Create a watch with multiple actions each with a different query

Karrie_Koo · January 15, 2020, 3:05am

"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"indices*"
],
"types": ,
"body": {
"size": 10,
"query": {
"bool": {
"must": [
{
"simple_query_string": {
"query": "(123)"
"fields": [
"Message",
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
{
"second": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"indices*"
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"exists": {
"field": "abcMsg"
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
]
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},

"actions": {
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Jennifer 123@gmail.com'"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}}",
"body": {
"html": "djsghjsakgfdsagksahg"
}
}
},

"log_error": {
  "transform": {
    "script": {
      "source": "\t\t\t def docs = [];\n\t\t\t for (hit in ctx.payload.hits.hits) {\n\t\t\t def update = hit['_source'];\n\t\t\t // Pattern to parse the date/timestamp input.\n\t\t\t DateTimeFormatter input = DateTimeFormatter.ofPattern(\"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'\");\n\t\t\t ZonedDateTime date = ZonedDateTime.parse(hit._source['@timestamp'], input.withZone(ZoneId.of(\"UTC\"))).plusHours(8);\n\t\t\t // Pattern to format the parsed date.\n\t\t\t DateTimeFormatter output = DateTimeFormatter.ofPattern(\"yyyy-MM-dd HH:mm:ss\");\n\t\t\t update['logDate'] = date.format(output);\n\t\t\t docs.add(update);\n\t\t}\n        return ['exceptions_details': docs];",
      "lang": "painless"
    }
  },
  "logging": {
    "category": "watcher.logging.None",
    "level": "info",
    "text": "Found {{ctx.payload.exceptions_details.size}} exceptions in the server logs\n{{#ctx.payload.exceptions_details}}[{{abc}}] {{def}} {{ghi}}  \n{{/ctx.payload.exceptions_details}}"
  }
}

}
}

I want to apply first query to email action and second query to logging action, how could i do

spinscale · January 15, 2020, 10:22am

hey.

please take your time to properly format snippets. This forum supports markdown, please use that to make your JSON more readable and indented. Thanks!

if you use the chain input, your payload changes based on the name of the chain inputs, so it's ctx.payload.first and ctx.payload.second and everything below that.

However, why don't you just use two different watches in that case?

--Alex

system · February 12, 2020, 10:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple queries - action on second query if not met after x timeframe Elasticsearch elastic-stack-alerting	3	366	June 4, 2019
Watcher Timestamp showing in EPOCH Elasticsearch elastic-stack-alerting	4	905	October 1, 2021
Elasticsearch watch cannot push alarm emails Elasticsearch elastic-stack-alerting	2	701	June 2, 2020
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Error saving watch [1:234] [script] unknown field [query] Elasticsearch elastic-stack-alerting	3	913	March 11, 2022

Create a watch with multiple actions each with a different query

Related topics