Ctx.payload.hits.total returns zero

Hi,

I created a watcher in Kibana for sending an email alert on every failed login for root, but it's not working properly. Condition part returns zero hits even after giving wrong password for the root login. Below is the watcher:

{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logs"
],
"types": [],
"body": {
"query": {
"match": {
"message": "Failed password"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"email@domain.com"
],
"subject": "Watcher Notification",
"body": {
"text": "root login failed alert"
}
}
}
}
}

can you share the output of the [Execute Watch API(https://www.elastic.co/guide/en/elasticsearch/reference/6.1/watcher-api-execute-watch.html) or the latest watch history entry?

Also, please take the time to properly format your message. This forum supports markdown which makes it super simple to include nicely formatted code snippets.

--Alex

Here is the output of the watcher.

{
  "watch_id": "Test_ID",
  "state": "execution_not_needed",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2018-01-08T10:05:01.553Z"
    },
    "last_checked": "2018-01-08T10:07:01.868Z",
    "actions": {
      "send_email": {
        "ack": {
          "timestamp": "2018-01-08T10:04:55.058Z",
          "state": "awaits_successful_execution"
        }
      }
    }
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2018-01-08T10:07:01.868Z",
    "schedule": {
      "scheduled_time": "2018-01-08T10:07:01.594Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logs"
        ],
        "types": [],
        "body": {
          "query": {
            "match": {
              "message": "Failed password"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "result": {
    "execution_time": "2018-01-08T10:07:01.868Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 0,
          "failed": 0,
          "successful": 0,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 0,
          "max_score": 0
        },
        "took": 0,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "logs"
          ],
          "types": [],
          "body": {
            "query": {
              "match": {
                "message": "Failed password"
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 0
        }
      }
    },
    "actions": []
  },
  "messages": []
}

If you read the output, that includes the response of the search in the result.input.payload field, you will see, that your query did not return any documents. Which in turn means the watch acts as expected.

You may need to refine your query.

--Alex

I think the problem is with timestamp. The log generation time in kibana and the triggered_time in watcher output are different (different time zones). I went through many discussions in the forum about the same issue, but, no luck.

Please help.

Your query from the execute watch output does not include any timestamp, so why should this be an issue?

This query did not return anything. Maybe you need to specify logs-* or something?

GET logs/_search
{
  "query": {
    "match": {
      "message": "Failed password"
    }
  }
}

Thanks for the support.

There was a small mistake, I replaced logs with filebeat-*. Now I am getting alerts.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.