Ctx.payload.hits.total returns zero

ravirjn · January 5, 2018, 11:06am

Hi,

I created a watcher in Kibana for sending an email alert on every failed login for root, but it's not working properly. Condition part returns zero hits even after giving wrong password for the root login. Below is the watcher:

{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logs"
],
"types": [],
"body": {
"query": {
"match": {
"message": "Failed password"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"email@domain.com"
],
"subject": "Watcher Notification",
"body": {
"text": "root login failed alert"
}
}
}
}
}

spinscale · January 8, 2018, 8:09am

can you share the output of the [Execute Watch API(https://www.elastic.co/guide/en/elasticsearch/reference/6.1/watcher-api-execute-watch.html) or the latest watch history entry?

Also, please take the time to properly format your message. This forum supports markdown which makes it super simple to include nicely formatted code snippets.

--Alex

ravirjn · January 8, 2018, 10:17am

Here is the output of the watcher.

{
  "watch_id": "Test_ID",
  "state": "execution_not_needed",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2018-01-08T10:05:01.553Z"
    },
    "last_checked": "2018-01-08T10:07:01.868Z",
    "actions": {
      "send_email": {
        "ack": {
          "timestamp": "2018-01-08T10:04:55.058Z",
          "state": "awaits_successful_execution"
        }
      }
    }
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2018-01-08T10:07:01.868Z",
    "schedule": {
      "scheduled_time": "2018-01-08T10:07:01.594Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logs"
        ],
        "types": [],
        "body": {
          "query": {
            "match": {
              "message": "Failed password"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "result": {
    "execution_time": "2018-01-08T10:07:01.868Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 0,
          "failed": 0,
          "successful": 0,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 0,
          "max_score": 0
        },
        "took": 0,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "logs"
          ],
          "types": [],
          "body": {
            "query": {
              "match": {
                "message": "Failed password"
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 0
        }
      }
    },
    "actions": []
  },
  "messages": []
}

spinscale · January 8, 2018, 11:24am

If you read the output, that includes the response of the search in the result.input.payload field, you will see, that your query did not return any documents. Which in turn means the watch acts as expected.

You may need to refine your query.

--Alex

ravirjn · January 9, 2018, 4:40am

I think the problem is with timestamp. The log generation time in kibana and the triggered_time in watcher output are different (different time zones). I went through many discussions in the forum about the same issue, but, no luck.

Please help.

spinscale · January 9, 2018, 8:30am

Your query from the execute watch output does not include any timestamp, so why should this be an issue?

This query did not return anything. Maybe you need to specify logs-* or something?

GET logs/_search
{
  "query": {
    "match": {
      "message": "Failed password"
    }
  }
}

ravirjn · January 9, 2018, 12:08pm

Thanks for the support.

There was a small mistake, I replaced logs with filebeat-*. Now I am getting alerts.

system · February 6, 2018, 12:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ctx.payload.hits.total returns me zero, why? Elasticsearch elastic-stack-alerting	3	1117	July 6, 2017
Watcher not firing Kibana elastic-stack-alerting	2	407	July 27, 2021
Trying to create watcher but getting payload is "ctx.payload.hits.total.value" : null Elasticsearch elastic-stack-alerting	2	3343	April 21, 2020
"compare" : { "ctx.payload.hits.total" : { "gt" : 5}} is not working Elasticsearch elastic-stack-alerting	5	901	November 30, 2018
How to compare ctx.payload.hits.total value to last ctx.payload.hits.total Elasticsearch elastic-stack-alerting	4	1742	June 5, 2018

Ctx.payload.hits.total returns zero

Related topics