Error watcher with multiple terms and a metric

Juan_David_Jaramillo · August 26, 2021, 5:16pm

Hello, good people.
I have a problem with an alert, I get the following error:

{
  "watch_id": "_inlined_",
  "node": "ELuSGxpSRICZb2ZHJp4paA",
  "state": "failed",
  "user": "elastic",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2021-08-26T17:14:34.455Z"
    },
    "actions": {
      "email_1": {
        "ack": {
          "timestamp": "2021-08-26T17:14:34.455Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "failed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2021-08-26T17:14:34.460Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2021-08-26T17:14:34.460Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "uniandes*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-2m/m",
                    "lt": "now/m"
                  }
                }
              }
            },
            "aggs": {
              "terms": {
                "size": 10,
                "field": "Sysname.keyword"
              },
              "terms2": {
                "size": 10,
                "field": "IP.keyword"
              },
              "metricAgg": {
                "max": {
                  "field": "State"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value == params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  },
  "metadata": {
    "name": "Alerta Estado uniandes",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2021-08-26T17:14:34.460Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
            "line": 1,
            "col": 95
          }
        ],
        "type": "parsing_exception",
        "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
        "line": 1,
        "col": 95
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "uniandes*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "now-2m/m",
                      "lt": "now/m"
                    }
                  }
                }
              },
              "aggs": {
                "terms": {
                  "size": 10,
                  "field": "Sysname.keyword"
                },
                "terms2": {
                  "size": 10,
                  "field": "IP.keyword"
                },
                "metricAgg": {
                  "max": {
                    "field": "State"
                  }
                }
              }
            }
          }
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch input"
  ]
}

this is my code:

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "uniandes*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": 
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-2m/m",
                      "lt": "now/m"
                    }
                  }
                }
                },
                "aggs":{
                    "terms": {
                        "size": 10,
                        "field": "Sysname.keyword"
                    },
                    "terms2":{
                        "size": 10,
                        "field":"IP.keyword"
                    },
                    "metricAgg":{
                        "max":{
                            "field":"State"
                        }
                    }
                }
        
              
          }    
            
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value == params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  },
  "actions": {
    "email_1": {
      "throttle_period_in_millis": 86400000,
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          
          "juan.jaramillo@megadvantage.com"
        ],
        
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """
          🚨ALerta Host!! el Estado del equipo {{}} con la IP {{ctx.payload.terms}} ha excedido el umbral, para mas informacion ingrese al siguiente enlace:
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms' : ctx.payload.aggregations.terms,
        'terms2': ctx.payload.aggregations.terms2,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

I hope you can help me, as this is very important, thank you very much!

stephenb · August 26, 2021, 11:22pm

You have several syntax errors in your query...

It is best practice to debug your query in dev tools before trying in watcher

Your Query is not enclosed before the aggs
Plus your term aggs are malformed

This should be proper syntax

GET uniandes*_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-2m/m",
            "lt": "now/m"
          }
        }
      }
    }
  }, <!--- Was Not Closed 
  "aggs": {
    "my-terms-agg": { <!--- Name the agg 
      "terms": { <!--- Then the Actual Agg 
        "size": 10,
        "field": "Sysname.keyword"
      }
    },
    "my-other-terms-ag": {
      "terms": {
        "size": 10,
        "field": "IP.keyword"
      }
    },
    "metricAgg": {
      "max": {
        "field": "State"
      }
    }
  }
}

Juan_David_Jaramillo · August 27, 2021, 1:10am

thank you, it was a syntax error, sorry.
now lastly and if it is not too much trouble, could you help me how to get the results of the terms in the action I added the output with 2 loads in payload in transform, but I get the following way:

 "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2': ctx.payload.aggregations.terms2,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

stephenb · August 27, 2021, 1:20am

I can't read the screenshot , please don't post screenshots please post the text if you want help

Juan_David_Jaramillo · August 27, 2021, 2:32am

 "actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__b8cf3d46-b22c-4f90-988d-5abf5b4bae9f-2021-08-27T02:31:49.633285Z_28477",
            "sent_date": "2021-08-27T02:31:49.638009Z",
            "to": [
              "juan.jaramillo@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Alerta Estado Uniandes ",
            "body": {
              "text": "\n          🚨ALerta Host!! el Estado del equipo  con la IP {doc_count_error_upper_bound=0, sum_other_doc_count=0, buckets=[{doc_count=2, key=FW_Ora2}, {doc_count=2, key=WLAN_8510_ML}, {doc_count=2, key=ayax.uniandes.edu.co}, {doc_count=2, key=chaguani.uniandes.edu.co}, {doc_count=2, key=chinavita.uniandes.edu.co}, {doc_count=2, key=chipaque.uniandes.edu.co}, {doc_count=2, key=chipata.uniandes.edu.co}, {doc_count=2, key=fwmember_a2}]} ha excedido el umbral, para mas informacion ingrese al siguiente enlace:\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · August 27, 2021, 2:33am

comes out as a bucket {doc_count=2, key=chipata.uniandes.edu.co} but only i need this: chipata.uniandes.edu.co

Thanks you

stephenb · August 27, 2021, 4:39am

So the results of that terms2 is this

                    "terms2":{
                        "size": 10, <!--- This means up to 10 results will be in the array below
                        "field":"IP.keyword"
                    },

is this

{doc_count_error_upper_bound=0, sum_other_doc_count=0, buckets=[
    {doc_count=2, key=FW_Ora2
    },
    {doc_count=2, key=WLAN_8510_ML
    },
    {doc_count=2, key=ayax.uniandes.edu.co
    },
    {doc_count=2, key=chaguani.uniandes.edu.co
    },
    {doc_count=2, key=chinavita.uniandes.edu.co
    },
    {doc_count=2, key=chipaque.uniandes.edu.co
    },
    {doc_count=2, key=chipata.uniandes.edu.co
    },
    {doc_count=2, key=fwmember_a2
    }
  ]
}

Since you specified "size": 10 there will be up to 10 bucket results the array of buckets so I am not really sure what you want as a result...

do you want the up to 10 key values (The IP values) in the Array? output as a String List?

do you want just 1 key value? If so which one?

I am not an expert in watcher / painless

So the first one would be I think would be something like this

{{ctx.payload.terms2.buckets.0.key}}

Something like this might give you the list, this says iterate over the buckets and get the key

{{#ctx.payload.terms2.buckets}} {{key}}, {{/ctx.payload.terms2.buckets}}

Juan_David_Jaramillo · August 27, 2021, 2:28pm

thanks you, all right

stephenb · August 27, 2021, 2:29pm

@Juan_David_Jaramillo
Let us know if it worked? Did you get what you needed?
Please Post your solution so others can see.

Juan_David_Jaramillo · August 27, 2021, 2:59pm

 "actions": {
    "email_1": {
      "throttle_period_in_millis": 86400000,
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "juan.jaramillo@megadvantage.com",
          "victor.vera@megadvantage.com"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """
          🚨ALerta Host!! el Estado del equipo {{ctx.payload.terms1.buckets.0.key}} con la IP {{ctx.payload.terms2.buckets.0.key}} esta {{ctx.payload.terms3.buckets.0.key}}  
          
          para mas informacion ingrese al siguiente enlace:
          
          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/u-andes/app/kibana#/dashboard/560c7520-d8fb-11eb-9ce4-c3c605a6c465
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2': ctx.payload.aggregations.terms2,
        'terms3': ctx.payload.aggregations.terms3,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

very simple I loaded the term in the payload output {{ctx.paylaod.aggregations.terms1}} and to see it in the email (in the action of the alert) I added as it is the {{ctx.payload.terms1.buckets.0 .key}} obviously changing which of all the terms I want to use depends on how I call the variable: (terms1, terms2, terms3) as seen in the code and it worked, it only showed me the result of the field without putting "doc_count=" or anything like that, it only showed the name:

"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__c40aef9d-dd33-442a-9f2f-3e6b84afe694-2021-08-27T14:57:31.102113Z_28489",
            "sent_date": "2021-08-27T14:57:31.870495Z",
            "to": [
              "juan.jaramillo@megadvantage.com",
              "victor.vera@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Alerta Estado Uniandes ",
            "body": {
              "text": "\n          🚨ALerta Host!! el Estado del equipo FW_Ora2 con la IP 129.213.15.226 esta Normal  \n          \n          para mas informacion ingrese al siguiente enlace:\n          \n          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/u-andes/app/kibana#/dashboard/560c7520-d8fb-11eb-9ce4-c3c605a6c465\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

underlined in bold are the 3 terms that I wanted to show in the email and as it shows them to me without any encapsulation or bucket.

Estado del equipo FW_Ora2 con la IP 129.213.15.226 esta Normal

stephenb · August 27, 2021, 3:03pm

Nice / Cool!!

So you always just want the first bucket... If so you could set the size of the terms to 1

    "my-other-terms-ag": {
      "terms": {
        "size": 1 <!---- Set this to 1 and you will only get the Top agg
        "field": "IP.keyword"
      }
    },

Curious if my syntax was for the loop was correct I will have to try some time

system · September 24, 2021, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error WATCHER smtp.host Elasticsearch elastic-stack-alerting	3	368	June 17, 2021
Watcher Assistance (ii) Elasticsearch elastic-stack-alerting	3	443	April 2, 2021
Watcher did not run Elasticsearch elastic-stack-alerting	1	393	November 27, 2020
Watcher execution error Elasticsearch elastic-stack-monitoring , elastic-stack-security , elastic-stack-alerting	1	1471	October 16, 2020
Watcher execution error Elasticsearch elastic-stack-monitoring , elastic-stack-security , elastic-stack-alerting	2	672	November 13, 2020

Error watcher with multiple terms and a metric

Related Topics