Create a watch with multiple actions each with a different query

"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"indices*"
],
"types": ,
"body": {
"size": 10,
"query": {
"bool": {
"must": [
{
"simple_query_string": {
"query": "(123)"
"fields": [
"Message",
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
{
"second": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"indices*"
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"exists": {
"field": "abcMsg"
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
]
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},

"actions": {
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Jennifer 123@gmail.com'"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}}",
"body": {
"html": "djsghjsakgfdsagksahg"
}
}
},

"log_error": {
  "transform": {
    "script": {
      "source": "\t\t\t def docs = [];\n\t\t\t for (hit in ctx.payload.hits.hits) {\n\t\t\t def update = hit['_source'];\n\t\t\t // Pattern to parse the date/timestamp input.\n\t\t\t DateTimeFormatter input = DateTimeFormatter.ofPattern(\"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'\");\n\t\t\t ZonedDateTime date = ZonedDateTime.parse(hit._source['@timestamp'], input.withZone(ZoneId.of(\"UTC\"))).plusHours(8);\n\t\t\t // Pattern to format the parsed date.\n\t\t\t DateTimeFormatter output = DateTimeFormatter.ofPattern(\"yyyy-MM-dd HH:mm:ss\");\n\t\t\t update['logDate'] = date.format(output);\n\t\t\t docs.add(update);\n\t\t}\n        return ['exceptions_details': docs];",
      "lang": "painless"
    }
  },
  "logging": {
    "category": "watcher.logging.None",
    "level": "info",
    "text": "Found {{ctx.payload.exceptions_details.size}} exceptions in the server logs\n{{#ctx.payload.exceptions_details}}[{{abc}}] {{def}} {{ghi}}  \n{{/ctx.payload.exceptions_details}}"
  }
}

}
}

I want to apply first query to email action and second query to logging action, how could i do

hey.

please take your time to properly format snippets. This forum supports markdown, please use that to make your JSON more readable and indented. Thanks!

if you use the chain input, your payload changes based on the name of the chain inputs, so it's ctx.payload.first and ctx.payload.second and everything below that.

However, why don't you just use two different watches in that case?

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.