Error 400 when creating Watcher with Slack action

Mike_Wurtz · June 1, 2016, 10:24pm

ES 5.0 Alpha 3

I was able to create an alert like this in Alpha 1 and Alpha 2, but not any more.

This request:

    "notify-slack" : {
  "throttle_period" : "15m",
  "slack" : {
    "account" : "monitoring",
    "message" : {
      "from" : "ELK Stack",
      "to" : [ "#elk" ],
      "text" : "Watcher Alert Triggered!",
      "attachments" : [
        {
          "title" : "HSM_DISCONNECTED",
          "text" : "At least {{ctx.payload.hits.total}} events have just occurred...\n<https://10.40.10.118/goto/89d029848dee8f935740dd0314348654|ANALYZE THIS IN KIBANA>\n_Slack will only be notified every 15 minutes for this alert._",
          "color" : "danger"
        }
      ]
    }
  }
}

Is giving me this response:

{
  "error": {
    "root_cause": [
      {
        "type": "parse_exception",
        "reason": "could not parse [slack] action [prod_hsm_disconnected]. unknown slack account [monitoring]"
      }
    ],
    "type": "parse_exception",
    "reason": "could not parse [slack] action [prod_hsm_disconnected]. unknown slack account [monitoring]"
  },
  "status": 400
}

and I've verified this config is on my ES nodes:

xpack.notification.slack.service:
  account:
    monitoring:
      url: https://hooks.slack.com/services/webhookurl
      message_defaults:
        from: Watcher

spinscale · June 2, 2016, 11:35am

Hey,

try xpack.notification.slack: instead of xpack.notification.slack.service:

--Alex

Mike_Wurtz · June 2, 2016, 11:28pm

Done. Looks like I'm getting the same response:

{
  "error": {
    "root_cause": [
      {
        "type": "parse_exception",
        "reason": "could not parse [slack] action [prod_hsm_disconnected]. unknown slack account [monitoring]"
      }
    ],
    "type": "parse_exception",
    "reason": "could not parse [slack] action [prod_hsm_disconnected]. unknown slack account [monitoring]"
  },
  "status": 400
}

spinscale · June 6, 2016, 11:18am

Hey,

just tested this locally and it works, so lets try to find the differences:

my elasticsearch.yml

xpack.notification.slack:
  account:
    monitoring:
      url: https://hooks.slack.com/services/MY_CREDS
      message_defaults:
        from: Watcher

the watch

PUT _xpack/watcher/watch/my-watch
{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "http": {
      "request": {
        "host": "localhost",
        "port": 9200,
        "path": "/_cluster/health"
      }
    }
  },
  "actions": {
    "logging": {
      "logging": {
        "text": "{{ctx}}"
      }
    },
    "notify-slack": {
      "slack": {
        "account": "monitoring",
        "message": {
          "from": "ELK Stack",
          "to": [
            "#watcher-test"
          ],
          "text": "Watcher Alert Triggered!",
          "attachments": [
            {
              "title": "HSM_DISCONNECTED",
              "text": "At least {{ctx.payload.hits.total}} events have just occurred...\n<https://10.40.10.118/goto/89d029848dee8f935740dd0314348654|ANALYZE THIS IN KIBANA>\n_Slack will only be notified every 15 minutes for this alert._",
              "color": "danger"
            }
          ]
        }
      }
    }
  }
}

Can you spot a difference?

--Alex

Mike_Wurtz · June 6, 2016, 7:50pm

I'm unable to spot a difference.. I feel like the issue is where the "monitoring" account is suppose to be configured on the ES noes.. Is there a ES or Watcher API method that should expose the "monitoring" account that is configuerd for verification?

spinscale · June 7, 2016, 6:54am

Hey,

can you upload your config file somewhere? Maybe it's just an indendation issue? Also is the monitoring account configured in all elasticsearch.yml config files?

--Alex

spinscale · June 7, 2016, 7:17pm

Hey,

the file still lists xpack.notification.slack.service instead of xpack.notification.slack?

looks good otherwise.

--Alex

Mike_Wurtz · June 7, 2016, 7:34pm

Sorry, sent the yml from the wrong instance.. Please review this:

kiran_karnam · September 1, 2016, 8:44pm

Hi,

Facing the same issue with elastic search 2.3.5 the logs say
[watcher.actions.slack.service] default slack account set to [monitoring]

but when i do a put i see the following error
{"error":{"root_cause":[{"type":"parse_exception","reason":"could not parse [slack] action [cluster_health_watch/null]. unknown slack account [monitoring]"}],"type":"parse_exception","reason":"could not parse [slack] action [cluster_health_watch/null]. unknown slack account [monitoring]"},"status":400}

any clues what might be wrong?

spinscale · September 5, 2016, 3:50pm

@kiran_karnam can you please create a new issue, including your configuration, your example watch and all error messages/ stack traces that you got. This issue is about elasticsearch 5.0 and we should not clutter it with 2.3.5 infos.

Thanks!