Elasticsearch Alerting Watcher

Elastic Stack Kibana
1

Hello,
I have a watcher sending email notifications with a log file attachment. I was hoping to add a url to the notification alert which will direct the email recipient to the errors received. When the url is clicked, it should take the user straight to the Kibana page with these errors. Is there a way this can be accomplished?
Thanks in advance

PUT _watcher/watch/Error_log
{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "indices"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "responses": 404
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-35m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 5
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "info",
        "text": "Errors"
      }
    },
    "email_action": {
      "email": {
        "profile": "standard",
        "attachments": {
          "error_data": {
            "data": {
              "format": "json"
            }
          },
        },
        "to": [
          "recipient@domain.com"
        ],
        "subject": " Encountered {{ctx.payload.hits.total}} errors ",
        "body": {
          "text": "Too many 404 error in the system, see attached data"
        }
      }
    }
  },
  "metadata": {
    "xpack": {
      "type": "json"
    }
  }
}
2

You do have some options here. Since it looks like your query is pretty simple, you could create a Saved Search from Discover and then send a link to your Discover page. You could also add your Saved Search to a dashboard and link to it instead. In both cases your link can include a time range.

3

Thanks. I will consider that

4

I was able to create a watcher to accomplish that. In case anyone would like to replicate. It works with creating a saved object of the query and sending the URL in the email action. Size can be increased. Feel free to provide comments or any areas of improvement.

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "indices*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 5,
          "query": {
            "bool": {
              "must": {
                "query_string": {
                  "query": "sc-status:[403 TO 503]"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-35m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "info",
        "text": "We got the expected error"
      }
    },
    "email_action": {
      "email": {
        "profile": "standard",
        "to": [
          "admin@domain.com"
        ],
        "subject": " Encountered {{ctx.payload.hits.total}} errors of HTTP Status Code [404] ",
        "body": {
          "html": "Query Link: https://kibana:5601/goto/c5f1eafka5ag11233"
        }
      }
    }
  }
}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.