Ctx.payload.hits.hits not working

Elastic Stack Elasticsearch
1

Hi, below is my watcher content, its not working when add in transform section into it, the whole looping for ctx.payload.hits.hits is not working, the email receive only showing " The alert condition for 'OSB - ni-ecomm-wsc-cust-sync error was triggered:" . After remove the transform section, it's working again, the email receive showing all the results, please advise.

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  }    ,
      "input": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
        "indices": [
          "websys-weblogic-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match_phrase": {
                    "message": "ni-ecomm-wsc-cust-sync error"
                  }
                },
                {
                  "match": {
                    "fields.env": "prod"
                  }
                },
                {
                  "wildcard": {
                    "source.keyword": "/opt/apps/logs/osb-server/weblogic/osb-server*.log"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-15m"
                    }
                  }
                }
              ]
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc",
                "unmapped_type": "boolean"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "xxx@xxx.com"
        ],
        "subject": "(ElasticSearch) OSB - ni-ecomm-wsc-cust-sync error",
        "body": {
          "html": "<html><h3>The alert condition for 'OSB - ni-ecomm-wsc-cust-sync error was triggered:</h3></html><br>{{#ctx.payload.hits.hits}}\tDate: {{_source.@timestamp}}<br>\tHostname:{{_source.host.name}}<br>\tMessage: {{_source.message}}<hr><br>{{/ctx.payload.hits.hits}}"
        }
      }
    }
  },
  **"transform": {**
    **"script": {**
      **"source": "return[ctx.metadata.t1 = Instant.ofEpochMilli(ctx.execution_time.getMillis()).minus(15,** **ChronoUnit.MINUTES)]",**
      **"lang": "painless"**
    **}**
  **},**
  "throttle_period_in_millis": 14400000
}
2

Please take your time and properly format your messages. This makes it impossible to parse the JSON due to the missing indentation and seemingly random formatting. You can use markdown here, so please make use of that.

a script transform needs to return a payload, which your script does not do.

See https://www.elastic.co/guide/en/elastic-stack-overview/7.0/transform-script.html

3

Hi , i have add in "return" in transform, but the {{#ctx.payload.hits.hits}} {{/ctx.payload.hits.hits}} still showing blank result. If i remove the whole transform section, the {{#ctx.payload.hits.hits}} {{/ctx.payload.hits.hits}} is working and showing all the output.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.