Field "level" only returns Null in Watcher

EricJohnson · March 2, 2020, 2:45pm

Greetings

I'm trying to write a watcher to look at a string field called "level." If level is LOG, I need to alert on it. The watcher is running but the value appears to always be null. I've tried various things but nothing has worked so far.

The record looks like this:

{
"_index": "applog-test-001",
"_type": "_doc",
...
"level": "LOG",
"message": "Database connected...",
"host": {
"hostname": "applog_host",
"os": {
"kernel": "2.6.32-754.24.3.el6.x86_64",
"codename": "Santiago",
"name": "Red",
"family": "redhat",
"version": "6.10 (Santiago)",
"platform": "redhat"
...
},
"fields": {
"@timestamp": [
"2020-02-28T21:31:02.583Z"
(etc)

My watcher API code looks like this:

PUT _watcher/watch/watcher_log_level
{
"trigger": {
    "schedule": {
        "interval": "1m"
    }
},
"input": {
    "search": {
        "request": {
            "indices": [
                "applog-test-*"
           ],
       "body": {
       "size": 0,
       "query": {
           "bool": {
               "filter": [
                   {
                       "range": {
                           "@timestamp": {
                              "gte": "now-48h"
                           }
                       }
                   },
                   {
                      "exists": {
                          "field": "level"
                      }
                   }
               ]
       }
    }
}
}
}},
   "condition": {
       "compare": {
           "level": {
               "eq": "LOG"
           }
       }
   },
   "actions": {
       "logging_1": {
           "logging": {
               "text": "Watcher_Log_Level [{{ctx.metadata.name}}] is LOG"
           }
       },
       "index_1": {
            "index": {
                "index": "log_level_watcher"
            }
        }
    }
}

However, the result looks like this:

      ...
"condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
            "resolved_values": {
                 "ctx.metadata.level": null
            }
      }

It looks like it is always finding "level" to be null. What is wrong with my API call?

Thank you.

EricJohnson · March 5, 2020, 4:08pm

PUT _watcher/watch/watcher_applog_log
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
"applog-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "LOG OR level:LOG"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"logging_1": {
"logging": {
"text": "Watcher applog level is LOG."
}
}
}
}

This works.

system · April 2, 2020, 4:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher for string value - Returns 'met : false' Kibana elastic-stack-monitoring	2	378	March 30, 2020
Watcher returns null values Elasticsearch elastic-stack-alerting	3	1076	February 12, 2020
Missing fields in a document Elasticsearch elastic-stack-alerting	2	619	March 26, 2021
Accessing fields from Watcher search condition Elasticsearch elastic-stack-alerting	3	1860	February 21, 2019
Watcher Condition Returning "Null" Elasticsearch elastic-stack-alerting	9	848	September 16, 2019

Field "level" only returns Null in Watcher

Related Topics