Elasticsearch Alerting Watcher

linfordwoode · January 18, 2021, 9:57pm

Hello,
I have a watcher sending email notifications with a log file attachment. I was hoping to add a url to the notification alert which will direct the email recipient to the errors received. When the url is clicked, it should take the user straight to the Kibana page with these errors. Is there a way this can be accomplished?
Thanks in advance

PUT _watcher/watch/Error_log
{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "indices"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "responses": 404
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-35m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 5
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "info",
        "text": "Errors"
      }
    },
    "email_action": {
      "email": {
        "profile": "standard",
        "attachments": {
          "error_data": {
            "data": {
              "format": "json"
            }
          },
        },
        "to": [
          "recipient@domain.com"
        ],
        "subject": " Encountered {{ctx.payload.hits.total}} errors ",
        "body": {
          "text": "Too many 404 error in the system, see attached data"
        }
      }
    }
  },
  "metadata": {
    "xpack": {
      "type": "json"
    }
  }
}

wylie · January 20, 2021, 6:53pm

You do have some options here. Since it looks like your query is pretty simple, you could create a Saved Search from Discover and then send a link to your Discover page. You could also add your Saved Search to a dashboard and link to it instead. In both cases your link can include a time range.

linfordwoode · January 28, 2021, 2:43pm

Thanks. I will consider that

linfordwoode · February 12, 2021, 10:05pm

I was able to create a watcher to accomplish that. In case anyone would like to replicate. It works with creating a saved object of the query and sending the URL in the email action. Size can be increased. Feel free to provide comments or any areas of improvement.

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "indices*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 5,
          "query": {
            "bool": {
              "must": {
                "query_string": {
                  "query": "sc-status:[403 TO 503]"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-35m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "info",
        "text": "We got the expected error"
      }
    },
    "email_action": {
      "email": {
        "profile": "standard",
        "to": [
          "admin@domain.com"
        ],
        "subject": " Encountered {{ctx.payload.hits.total}} errors of HTTP Status Code [404] ",
        "body": {
          "html": "Query Link: https://kibana:5601/goto/c5f1eafka5ag11233"
        }
      }
    }
  }
}

system · March 12, 2021, 10:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.