Error saving Slack Action - Watcher: [illegal_argument_exception] no account found for name: [null]

Meitsrik · January 30, 2018, 2:28pm

Hello! I'm setting up a watcher (as described here https://www.elastic.co/guide/en/x-pack/current/actions-slack.html) to check for some error-level logs and send a message to a Slack channel when X errors in Y minutes occur.

I have the following Watch JSON:

{
  "trigger": {
    "schedule": {
      "interval": "10m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "app-logs-2018*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "level: Error"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-10m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 10
      }
    }
  },
  "actions" : {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "#elastic-errors" ], 
          "text" : "Got some errors.  Check logs." 
        }
      }
    }
  }
}

and when I save it I get the error Watcher: [illegal_argument_exception] no account found for name: [null].

Any ideas why I'm seeing this? I've checked that I've enabled the Slack notifications in elasticsearch.yml, adding

xpack.notification.slack:
  account:
    monitoring:
      url: https://hooks.slack.com/services/[URL]

I've done GET _nodes too and it doesn't look like any Slack Watcher notifications are enabled - not sure if this is something that I need to enable in addition to adding my webhook. It was too many characters to post here annoyingly.

Thanks!

spinscale · February 6, 2018, 3:34pm

have you restarted the node?

miked · February 13, 2018, 1:30am

I'm seeing exactly the same thing (ES 5.6.7 and Kibana 5.6.5):

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "no account found for name: [null]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "no account found for name: [null]"
  },
  "status": 400
}

But the following delivers a message to Slack so it seems the basic account has been set up correctly:

> curl -X POST -H 'Content-type: application/json' --data '{"text":"Yipee this one works…"}' https://hooks.slack.com/services/(url)

Here's the post/query:

PUT _xpack/watcher/watch/errors_in_logs
{
  "trigger" : { "schedule" : { "interval" : "10s" }},
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "soe.customers" ],
        "body" : {
          "query" : {
            "match" : { "NLS_TERRITORY" : "JAPAN" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} 
  },
"actions" : {
  "notify-slack" : {
    "transform" : { },
    "throttle_period" : "2m",
    "slack" : {
      "message" : {
        "to" : [ "#watcher_alerts", "@mark.rogers"], 
        "text" : "Encountered  {{ctx.payload.hits.total}} errors in the last 2 minutes (facepalm)" 
      }
    }
  }
}
}

And what I have in the kibana.yml file:

xpack.security.enabled: false
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.reporting.enabled: false

xpack.notification.slack:
    monitoring:
      url: https://hooks.slack.com/services/(url)
      message_defaults:
        from: x-pack
        to: notifications
        icon: http://example.com/images/watcher-icon.jpg
        attachment:
          fallback: "X-Pack Notification"
          color: "#36a64f"
          title: "X-Pack Notification"
          title_link: "https://www.elastic.co/guide/en/x-pack/current/index.html"
          text: "One of your watches generated this notification."

Thanks so much for your assistance with this!

miked · February 13, 2018, 1:31am

Oh and I can confirm that I did restart the node (only have the one) and it didn't alter the result above.
Thanks.

spinscale · February 13, 2018, 9:42am

Hey Mike!

can you share the output of GET _cluster/settings please? Did you restart all nodes or is this a single node setup?

--Alex

miked · February 13, 2018, 6:40pm

Hi Alex,

Yeah, it's just a single node setup.
Here's the result from running that command:

{
  "persistent": {},
  "transient": {}
}

Thanks!

spinscale · February 14, 2018, 7:28am

oh, I misread your config, it should have been

xpack.notification.slack:
    account:
      monitoring:

that should fix your issue. Note that from 6.2 onwards we are more strict regarding the configuration of those settings, so you will get warnings early on.

--Alex

system · March 14, 2018, 7:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.