Ctx.payload.hits.total.value in condition not working

Elastic Stack Elasticsearch
1

hello, I'm trying to configure a watch that get eventologs from winlogbeat, in my condition I compare "ctx.payload.hits.total.value" in order to make actions when is greater than 10, but my condition is always false, I have seen next output in watch history

"condition" : {
"type" : "compare",
"status" : "success"
"met" : false,
"compare" : {
"resolved_values": {
"ctx.payload.hits.total.value" : null
}
}
}
seems I don't get this value from payload
please could someone help me with this issue? I've not idea where could be the problem... thank you in advance

2

can you paste the complete output of the Execute Watch API? Thanks!

3

Hello,
Alexander, below you can find execute output, thank you very much for your help!!
{
"_id" : "eventid_9149a5e7-1009-4227-b312-e8acaca1c193-2019-08-19T11:40:23.8364Z",
"watch_record" : {
"watch_id" : "eventid",
"node" : "ZynV4iTUSi2zUDwY6DGEBg",
"state" : "execution_not_needed",
"status" : {
"state" : {
"active" : true,
"timestamp" : "2019-08-19T10:44:07.875Z"
},
"last_checked" : "2019-08-19T11:40:23.836Z",
"actions" : {
"identificador_accion" : {
"ack" : {
"timestamp" : "2019-08-19T10:44:07.875Z",
"state" : "awaits_successful_execution"
}
}
},
"execution_state" : "execution_not_needed",
"version" : 57
},
"trigger_event" : {
"type" : "manual",
"triggered_time" : "2019-08-19T11:40:23.836Z",
"manual" : {
"schedule" : {
"scheduled_time" : "2019-08-19T11:40:23.836Z"
}
}
},
"input" : {
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"winlogbeat*"
],
"rest_total_hits_as_int" : true,
"body" : {
"query" : {
"bool" : {
"must" : {
"match" : {
"EventID" : 4625
}
}
}
}
}
}
}
},
"condition" : {
"compare" : {
"ctx.payload.hits.total.value" : {
"gte" : 10
}
}
},
"result" : {
"execution_time" : "2019-08-19T11:40:23.836Z",
"execution_duration" : 0,
"input" : {
"type" : "search",
"status" : "success",
"payload" : {
"_shards" : {
"total" : 1,
"failed" : 0,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"hits" : ,
"total" : 0,
"max_score" : null
},
"took" : 0,
"timed_out" : false
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"winlogbeat*"
],
"rest_total_hits_as_int" : true,
"body" : {
"query" : {
"bool" : {
"must" : {
"match" : {
"EventID" : 4625
}
}
}
}
}
}
}
},
"condition" : {
"type" : "compare",
"status" : "success",
"met" : false,
"compare" : {
"resolved_values" : {
"ctx.payload.hits.total.value" : null
}
}
},
"actions" :
},
"messages" :

4

check the result section of your JSON.. you will see that your search did not return any hits, so not triggering the condition sounds good to me.

Also make sure the path your field is the right one, as by default in watcher 7 the rest_total_hits_as_int is set to true in order to retain BWC.

5

Hello Alexander, thank you for your answer.
I think, then the problem should be the path.. because when I put as condition always my watch work fine.
But I don't find where is wrong... as you can see in picture I need to use as condition hits value that is 58, and the path I have configured is ctx.payload.hits.total.value, could you confirm if this is correct? thank you again for your help.

Capture

6

That's why I mentioned that parameter above, as it changes the data structure of the search response. Explicitely it in the search input in watcher as well and then things should work.

7

Thank you very much Alexander!!!!!!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.