Error watcher with multiple terms and a metric

Hello, good people.
I have a problem with an alert, I get the following error:

{
  "watch_id": "_inlined_",
  "node": "ELuSGxpSRICZb2ZHJp4paA",
  "state": "failed",
  "user": "elastic",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2021-08-26T17:14:34.455Z"
    },
    "actions": {
      "email_1": {
        "ack": {
          "timestamp": "2021-08-26T17:14:34.455Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "failed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2021-08-26T17:14:34.460Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2021-08-26T17:14:34.460Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "uniandes*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-2m/m",
                    "lt": "now/m"
                  }
                }
              }
            },
            "aggs": {
              "terms": {
                "size": 10,
                "field": "Sysname.keyword"
              },
              "terms2": {
                "size": 10,
                "field": "IP.keyword"
              },
              "metricAgg": {
                "max": {
                  "field": "State"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value == params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  },
  "metadata": {
    "name": "Alerta Estado uniandes",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2021-08-26T17:14:34.460Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
            "line": 1,
            "col": 95
          }
        ],
        "type": "parsing_exception",
        "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
        "line": 1,
        "col": 95
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "uniandes*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "now-2m/m",
                      "lt": "now/m"
                    }
                  }
                }
              },
              "aggs": {
                "terms": {
                  "size": 10,
                  "field": "Sysname.keyword"
                },
                "terms2": {
                  "size": 10,
                  "field": "IP.keyword"
                },
                "metricAgg": {
                  "max": {
                    "field": "State"
                  }
                }
              }
            }
          }
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch input"
  ]
}

this is my code:

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "uniandes*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": 
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-2m/m",
                      "lt": "now/m"
                    }
                  }
                }
                },
                "aggs":{
                    "terms": {
                        "size": 10,
                        "field": "Sysname.keyword"
                    },
                    "terms2":{
                        "size": 10,
                        "field":"IP.keyword"
                    },
                    "metricAgg":{
                        "max":{
                            "field":"State"
                        }
                    }
                }
        
              
          }    
            
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value == params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  },
  "actions": {
    "email_1": {
      "throttle_period_in_millis": 86400000,
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          
          "juan.jaramillo@megadvantage.com"
        ],
        
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """
          🚨ALerta Host!! el Estado del equipo {{}} con la IP {{ctx.payload.terms}} ha excedido el umbral, para mas informacion ingrese al siguiente enlace:
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms' : ctx.payload.aggregations.terms,
        'terms2': ctx.payload.aggregations.terms2,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

I hope you can help me, as this is very important, thank you very much! :slight_smile:

You have several syntax errors in your query...

It is best practice to debug your query in dev tools before trying in watcher

Your Query is not enclosed before the aggs
Plus your term aggs are malformed

This should be proper syntax

GET uniandes*_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-2m/m",
            "lt": "now/m"
          }
        }
      }
    }
  }, <!--- Was Not Closed 
  "aggs": {
    "my-terms-agg": { <!--- Name the agg 
      "terms": { <!--- Then the Actual Agg 
        "size": 10,
        "field": "Sysname.keyword"
      }
    },
    "my-other-terms-ag": {
      "terms": {
        "size": 10,
        "field": "IP.keyword"
      }
    },
    "metricAgg": {
      "max": {
        "field": "State"
      }
    }
  }
}

thank you, it was a syntax error, sorry.
now lastly and if it is not too much trouble, could you help me how to get the results of the terms in the action I added the output with 2 loads in payload in transform, but I get the following way:

 "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2': ctx.payload.aggregations.terms2,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

I can't read the screenshot , please don't post screenshots please post the text if you want help

 "actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__b8cf3d46-b22c-4f90-988d-5abf5b4bae9f-2021-08-27T02:31:49.633285Z_28477",
            "sent_date": "2021-08-27T02:31:49.638009Z",
            "to": [
              "juan.jaramillo@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Alerta Estado Uniandes ",
            "body": {
              "text": "\n          🚨ALerta Host!! el Estado del equipo  con la IP {doc_count_error_upper_bound=0, sum_other_doc_count=0, buckets=[{doc_count=2, key=FW_Ora2}, {doc_count=2, key=WLAN_8510_ML}, {doc_count=2, key=ayax.uniandes.edu.co}, {doc_count=2, key=chaguani.uniandes.edu.co}, {doc_count=2, key=chinavita.uniandes.edu.co}, {doc_count=2, key=chipaque.uniandes.edu.co}, {doc_count=2, key=chipata.uniandes.edu.co}, {doc_count=2, key=fwmember_a2}]} ha excedido el umbral, para mas informacion ingrese al siguiente enlace:\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

comes out as a bucket {doc_count=2, key=chipata.uniandes.edu.co} but only i need this: chipata.uniandes.edu.co

Thanks you

So the results of that terms2 is this

                    "terms2":{
                        "size": 10, <!--- This means up to 10 results will be in the array below
                        "field":"IP.keyword"
                    },

is this

{doc_count_error_upper_bound=0, sum_other_doc_count=0, buckets=[
    {doc_count=2, key=FW_Ora2
    },
    {doc_count=2, key=WLAN_8510_ML
    },
    {doc_count=2, key=ayax.uniandes.edu.co
    },
    {doc_count=2, key=chaguani.uniandes.edu.co
    },
    {doc_count=2, key=chinavita.uniandes.edu.co
    },
    {doc_count=2, key=chipaque.uniandes.edu.co
    },
    {doc_count=2, key=chipata.uniandes.edu.co
    },
    {doc_count=2, key=fwmember_a2
    }
  ]
}

Since you specified "size": 10 there will be up to 10 bucket results the array of buckets so I am not really sure what you want as a result...

do you want the up to 10 key values (The IP values) in the Array? output as a String List?

do you want just 1 key value? If so which one?

I am not an expert in watcher / painless

So the first one would be I think would be something like this

{{ctx.payload.terms2.buckets.0.key}}

Something like this might give you the list, this says iterate over the buckets and get the key

{{#ctx.payload.terms2.buckets}} {{key}}, {{/ctx.payload.terms2.buckets}}

thanks you, all right :smiley:

@Juan_David_Jaramillo
Let us know if it worked? Did you get what you needed?
Please Post your solution so others can see.

 "actions": {
    "email_1": {
      "throttle_period_in_millis": 86400000,
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "juan.jaramillo@megadvantage.com",
          "victor.vera@megadvantage.com"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """
          🚨ALerta Host!! el Estado del equipo {{ctx.payload.terms1.buckets.0.key}} con la IP {{ctx.payload.terms2.buckets.0.key}} esta {{ctx.payload.terms3.buckets.0.key}}  
          
          para mas informacion ingrese al siguiente enlace:
          
          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/u-andes/app/kibana#/dashboard/560c7520-d8fb-11eb-9ce4-c3c605a6c465
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2': ctx.payload.aggregations.terms2,
        'terms3': ctx.payload.aggregations.terms3,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

very simple I loaded the term in the payload output {{ctx.paylaod.aggregations.terms1}} and to see it in the email (in the action of the alert) I added as it is the {{ctx.payload.terms1.buckets.0 .key}} obviously changing which of all the terms I want to use depends on how I call the variable: (terms1, terms2, terms3) as seen in the code and it worked, it only showed me the result of the field without putting "doc_count=" or anything like that, it only showed the name:

"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__c40aef9d-dd33-442a-9f2f-3e6b84afe694-2021-08-27T14:57:31.102113Z_28489",
            "sent_date": "2021-08-27T14:57:31.870495Z",
            "to": [
              "juan.jaramillo@megadvantage.com",
              "victor.vera@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Alerta Estado Uniandes ",
            "body": {
              "text": "\n          🚨ALerta Host!! el Estado del equipo FW_Ora2 con la IP 129.213.15.226 esta Normal  \n          \n          para mas informacion ingrese al siguiente enlace:\n          \n          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/u-andes/app/kibana#/dashboard/560c7520-d8fb-11eb-9ce4-c3c605a6c465\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

underlined in bold are the 3 terms that I wanted to show in the email and as it shows them to me without any encapsulation or bucket.

Estado del equipo FW_Ora2 con la IP 129.213.15.226 esta Normal

1 Like

Nice / Cool!!

So you always just want the first bucket... If so you could set the size of the terms to 1

    "my-other-terms-ag": {
      "terms": {
        "size": 1 <!---- Set this to 1 and you will only get the Top agg
        "field": "IP.keyword"
      }
    },

Curious if my syntax was for the loop was correct I will have to try some time