Greetings
I'm trying to write a watcher to look at a string field called "level." If level is LOG, I need to alert on it. The watcher is running but the value appears to always be null. I've tried various things but nothing has worked so far.
The record looks like this:
{
"_index": "applog-test-001",
"_type": "_doc",
...
"level": "LOG",
"message": "Database connected...",
"host": {
"hostname": "applog_host",
"os": {
"kernel": "2.6.32-754.24.3.el6.x86_64",
"codename": "Santiago",
"name": "Red",
"family": "redhat",
"version": "6.10 (Santiago)",
"platform": "redhat"
...
},
"fields": {
"@timestamp": [
"2020-02-28T21:31:02.583Z"
(etc)
My watcher API code looks like this:
PUT _watcher/watch/watcher_log_level
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
"applog-test-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-48h"
}
}
},
{
"exists": {
"field": "level"
}
}
]
}
}
}
}
}},
"condition": {
"compare": {
"level": {
"eq": "LOG"
}
}
},
"actions": {
"logging_1": {
"logging": {
"text": "Watcher_Log_Level [{{ctx.metadata.name}}] is LOG"
}
},
"index_1": {
"index": {
"index": "log_level_watcher"
}
}
}
}
However, the result looks like this:
...
"condition": {
"type": "compare",
"status": "success",
"met": false,
"compare": {
"resolved_values": {
"ctx.metadata.level": null
}
}
It looks like it is always finding "level" to be null. What is wrong with my API call?
Thank you.