We are on ELK 2.2.0. I am trying to hunt a bug with watcher but I had no success in last days.
After a few successful executions the watcher keeps falling in following exception:
ScriptException[failed to run inline script [return ctx.payload.hits.hits.collect({ "${it.fields['@timestamp']}\t${it.fields.severity}\t${it.fields[
'source.syslog.host_from']}\t${it.fields.type}\t${it.fields.message}" }).join('\n')] using lang [groovy]]; nested: NoClassDefFoundError[sun/reflect/
MethodAccessorImpl]; nested: ClassNotFoundException[sun.reflect.MethodAccessorImpl];
at org.elasticsearch.script.groovy.GroovyScriptEngineService$GroovyScript.run(GroovyScriptEngineService.java:318)
at org.elasticsearch.watcher.transform.script.ExecutableScriptTransform.doExecute(ExecutableScriptTransform.java:73)
at org.elasticsearch.watcher.transform.script.ExecutableScriptTransform.execute(ExecutableScriptTransform.java:59)
at org.elasticsearch.watcher.transform.script.ExecutableScriptTransform.execute(ExecutableScriptTransform.java:40)
at org.elasticsearch.watcher.execution.ExecutionService.executeInner(ExecutionService.java:378)
at org.elasticsearch.watcher.execution.ExecutionService.execute(ExecutionService.java:273)
at org.elasticsearch.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:438)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: sun/reflect/MethodAccessorImpl
at sun.misc.Unsafe.defineClass(Native Method)
at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:63)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:394)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:393)
I cannot see any difference in the data the watcher collects, it rather seems to be something under the hood.
The watcher conditions are set like this:
{
"metadata": { "tags" : ["ito", "dcs"] },
"trigger" : { "schedule" : { "interval" : "60s" } },
"input" : {
"search" : {
"timeout" : "20s",
"request" : {
"indices" : [ "<logstash-app.dcs-{now/d{YYYY-MM-dd}}>", "<logstash-app.dcs-{now/d-1d{YYYY-MM-dd}}>" ],
"body" : {
"size" : 50,
"query" : {
"filtered": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-1m",
"lte": "{{ctx.trigger.scheduled_time}}"
}
}
},
{
"term": {
"source.syslog.file_name": "ito"
}
}
]
}
}
}
},
"fields": ["@timestamp","severity","type","message", "source.syslog.host_from"],
"sort": [
{
"@timestamp": {
"order": "asc"
}
}
]
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"transform" : {
"script" : "return ctx.payload.hits.hits.collect({ \"${it.fields.severity}\\t${it.fields['source.syslog.host_from']}\\t${it.fields.type}\\t${it.fields.message}\" }).join('\\n')"
},
"actions" : {
"log_error" : {
"logging" : {
"category" : "watcher.actions.logging.ito",
"text" : "Found ito items\n{{ctx.payload._value}}"
}
}
}
}
I'll really appreciate any help.