Field "level" only returns Null in Watcher

Elastic Stack Elasticsearch
1

Greetings

I'm trying to write a watcher to look at a string field called "level." If level is LOG, I need to alert on it. The watcher is running but the value appears to always be null. I've tried various things but nothing has worked so far.

The record looks like this:

{
"_index": "applog-test-001",
"_type": "_doc",
...
"level": "LOG",
"message": "Database connected...",
"host": {
"hostname": "applog_host",
"os": {
"kernel": "2.6.32-754.24.3.el6.x86_64",
"codename": "Santiago",
"name": "Red",
"family": "redhat",
"version": "6.10 (Santiago)",
"platform": "redhat"
...
},
"fields": {
"@timestamp": [
"2020-02-28T21:31:02.583Z"
(etc)

My watcher API code looks like this:

PUT _watcher/watch/watcher_log_level
{
"trigger": {
    "schedule": {
        "interval": "1m"
    }
},
"input": {
    "search": {
        "request": {
            "indices": [
                "applog-test-*"
           ],
       "body": {
       "size": 0,
       "query": {
           "bool": {
               "filter": [
                   {
                       "range": {
                           "@timestamp": {
                              "gte": "now-48h"
                           }
                       }
                   },
                   {
                      "exists": {
                          "field": "level"
                      }
                   }
               ]
       }
    }
}
}
}},
   "condition": {
       "compare": {
           "level": {
               "eq": "LOG"
           }
       }
   },
   "actions": {
       "logging_1": {
           "logging": {
               "text": "Watcher_Log_Level [{{ctx.metadata.name}}] is LOG"
           }
       },
       "index_1": {
            "index": {
                "index": "log_level_watcher"
            }
        }
    }
}

However, the result looks like this:

      ...
"condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
            "resolved_values": {
                 "ctx.metadata.level": null
            }
      }

It looks like it is always finding "level" to be null. What is wrong with my API call?

Thank you.

2

PUT _watcher/watch/watcher_applog_log
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
"applog-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "LOG OR level:LOG"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"logging_1": {
"logging": {
"text": "Watcher applog level is LOG."
}
}
}
}

This works.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.