Does ctx.trigger.scheduled_time and ctx.execution_time parse correctly in the watch query?

Elastic Stack Elasticsearch
1

I run,

curl -XGET 'http://localhost:9200/.watch_history*/_search?pretty' -d '{
  "sort" : [
    { "result.execution_time" : "desc" }
  ]
}'

and get:

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "failed" : 0
  },
  "hits" : {
    "total" : 158,
    "max_score" : null,
    "hits" : [ {
      "_index" : ".watch_history-2015.10.09",
      "_type" : "watch_record",
      "_id" : "error-code-watch_0-2015-10-09T07:50:00.428Z",
      "_score" : null,
      "_source":{"watch_id":"error-code-watch","state":"execution_not_needed","trigger_event":{"type":"schedule","triggered_time":"2015-10-09T07:50:00.428Z","schedule":{"scheduled_time":"2015-10-09T07:50:00.000Z"}},"input":{"search":{"request":{"search_type":"query_then_fetch","indices":["logstash*"],"types":[],"body":{"query":{"filtered":{"query":{"query_string":{"query":"error_code:*","analyze_wildcard":true}},"filter":{"bool":{"must":[{"range":{"date":{"from":"{{ctx.trigger.scheduled_time}}","to":null,"include_lower":false,"include_upper":true}}},{"range":{"date":{"from":null,"to":"{{ctx.execution_time}}","include_lower":true,"include_upper":false}}}]}}}}},"indices_options":{"expand_wildcards":"open","ignore_unavailable":false,"allow_no_indices":true}}}},"condition":{"script":{"inline":"ctx.payload.hits.total > 0"}},"messages":[],"result":{"execution_time":"2015-10-09T07:50:00.428Z","execution_duration":3,"input":{"type":"search","status":"success","payload":{"_shards":{"total":5,"failed":0,"successful":5},"hits":{"hits":[],"total":0,"max_score":null},"took":2,"timed_out":false},"search":{"request":{"search_type":"query_then_fetch","indices":["logstash*"],"types":[],"template":{"template":{"query":{"filtered":{"query":{"query_string":{"query":"error_code:*","analyze_wildcard":true}},"filter":{"bool":{"must":[{"range":{"date":{"from":"{{ctx.trigger.scheduled_time}}","to":null,"include_lower":false,"include_upper":true}}},{"range":{"date":{"from":null,"to":"{{ctx.execution_time}}","include_lower":true,"include_upper":false}}}]}}}}},"params":{"ctx":{"metadata":null,"watch_id":"error-code-watch","id":"error-code-watch_0-2015-10-09T07:50:00.428Z","trigger":{"triggered_time":"2015-10-09T07:50:00.428Z","scheduled_time":"2015-10-09T07:50:00.000Z"},"vars":{},"execution_time":"2015-10-09T07:50:00.428Z"}}},"indices_options":{"expand_wildcards":"open","ignore_unavailable":false,"allow_no_indices":true}}}},"condition":{"type":"script","status":"success","met":false},"actions":[]}},
      "sort" : [ 1444377000428 ]
    }
...

Please notice:

{"range":{"date":{"from":"{{ctx.trigger.scheduled_time}}","to":null,"include_lower":false,"include_upper":true}}},{"range":{"date":{"from":null,"to":"{{ctx.execution_time}}","include_lower":true,"include_upper":false}}}

Does {{ctx.trigger.scheduled_time}} and {{ctx.execution_time}} occurs here means they are not parse correctly?

BTW, I use the code from documents to build SearchRequest:

SearchRequest request = Requests.searchRequest("logstash*").source(searchSource()
                .query(filteredQuery(queryStringQuery("error_code:*").analyzeWildcard(true), boolFilter()
                        .must(rangeFilter("date").gt("{{ctx.trigger.scheduled_time}}"))
                        .must(rangeFilter("date").lt("{{ctx.execution_time}}")))));
2

Hey,

this logging behaviour is correct, because you are not seeing the executed request but a template search request. If you pretty print the JSON you can see the following

template: {
  template: {
    query: {
      filtered: {
        query: { query_string: { query: "error_code:*", analyze_wildcard: true } },
        filter: {
        bool: {
            must: [
              {
                range: {
                  date: {
                    from: "{{ctx.trigger.scheduled_time}}",
                    to: null,
                    include_lower: false,
                    include_upper: true
                  }
                }
              },
              {
                range: {
                  date: {
                    from: null,
                    to: "{{ctx.execution_time}}",
                    include_lower: true,
                    include_upper: false
                  }
                }
              }
            ]
          }
        }
      }
    }
  },
  params: {
    ctx: {
      metadata: null,
      watch_id: "error-code-watch",
      id: "error-code-watch_0-2015-10-09T07:50:00.428Z",
      trigger: {
        triggered_time: "2015-10-09T07:50:00.428Z",
        scheduled_time: "2015-10-09T07:50:00.000Z"
      },
      vars: { },
      execution_time: "2015-10-09T07:50:00.428Z"
    }
  }
}

You can use this as a query by using the /_search/template endpoint.

The reason why this might not work, is that you seem to search in a time window of 428 milliseconds - not sure if you intended to do so.

--Alex

3

Thanks for your detailed reply!

I have noticed my time interval is really small, but that code is from elasticsearch official docs. I think the code should be refine so that it will make sense for beginners.

Please see:

https://www.elastic.co/guide/en/watcher/current/api-java.html#api-java-put-watch