I'm using Painless to do a transform for a Slack alert message. I believe I've followed the standard for using Painless to be able to persist fields that have a dot in them. However, those fields always show up as null. I'm not sure what I'm doing wrong. Any help would be appreciated.
Here is the request:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
"agent"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"bool": {
"should": [
{
"range": {
"@timestamp": {
"gte": "now-5d"
}
}
},
{
"exists": {
"field": "audit_created"
}
}
]
}
}
],
"must_not": [],
"should": [],
"must": []
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"transform": {
"script": {
"params": {
"tz": "+11:00"
},
"source": "return ['items': ctx.payload.hits.hits.collect (data -> ['time_triggered': Instant.ofEpochMilli(ctx.payload.hits.hits.0._source.audit_created).atZone(ZoneId.of('America/Denver')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')), 'agent_version': data._source['agent.version'], 'enterprise_id': data._source['enterprise_id'], 'hostName': data._source['host.hostname']])]",
"lang": "painless"
}
},
"actions": {
"notify-slack": {
"slack": {
"account": "monitoring",
"message": {
"from": "mx-prod - Agent Registration",
"to": [
"#alerts"
],
"attachments": [
{
"color": "danger",
"title": "A New Agent Registered",
"text": ""
}
]
}
}
}
}
}
Here is the response. Notice that agent.version and host.hostname are NULL in the transform.
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"agent"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"bool": {
"should": [
{
"range": {
"@timestamp": {
"gte": "now-8h"
}
}
},
{
"exists": {
"field": "audit_created"
}
}
]
}
}
],
"must_not": [],
"should": [],
"must": []
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"metadata": {
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2020-05-29T17:47:00.749Z",
"execution_duration": 29,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 3,
"failed": 0,
"successful": 3,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "agent-2020.05.13",
"_type": "_doc",
"_source": {
"agent": {
"last_state": 1589922898272,
"fingerprint": "3c712f7018420488",
"last_heartbeat": 1589941628000,
"version": "3.2.171"
},
"audit_modified": 1589568992196,
"host": {
"hostname": "sh2.nethosting.com",
"os": {
"kernel": "#1 SMP Tue Mar 17 23:49:17 UTC 2020",
"name": "sh2.nethosting.com",
"family": null,
"version": "3.10.0-1062.18.1.el7.x86_64",
"platform": "Linux",
"full": null
},
"architecture": "x86_64"
},
"classifier": {
"version": {
"current": "1.0.10",
"pending": null
}
},
{
"_index": "agent-2020.05.13",
"_type": "_doc",
"_source": {
"agent": {
"fingerprint": "96E07700C5F960Bc",
"last_heartbeat": 1587691415296,
"version": "3.2.146"
},
"audit_modified": 1587691415353,
"host": {
"hostname": "centos7.cpanel.monarx",
"os": {
"kernel": "#1 SMP Mon Mar 18 15:06:45 UTC 2019",
"name": "centos7.cpanel.monarx",
"family": null,
"version": "3.10.0-957.10.1.el7.x86_64",
"platform": "Linux",
"full": null
},
"architecture": "x86_64"
},
"classifier": {
"version": {
"current": "1.0.7",
"pending": null
}
},
"_class": "com.monarx.api.agent.model.Agent",
"id": "309c44a1b10f216cca94c69818e5ca49ed5798d389c9b9327a510d958fd82af8",
"protect": [],
"enterprise_id": "6661b2b5-7f50-4f50-af5d-dd00d534ddb9",
"audit_created": 1587691152070
},
"_id": "309c44a1b10f216cca94c69818e5ca49ed5798d389c9b9327a510d958fd82af8",
"_score": 0
},
{
"_index": "agent-2020.05.13",
"_type": "_doc",
"_source": {
"agent": {
"last_state": 1589343620445,
"fingerprint": "8b8689603fCbE078",
"last_heartbeat": 1589821721000,
"version": "3.2.171"
},
"_class": "com.monarx.api.agent.model.Agent",
"id": "abd3da30bb89edc508b892d28647527bace1c8e943df8e7cecbf5771631e58ed",
{
"_index": "agent-2020.05.13",
"_type": "_doc",
"_source": {
"agent": {
"fingerprint": "77B4Ee7036Ed9e40",
"version": "3.2.171"
},
"audit_modified": 1589949486554,
"host": {
"hostname": "vh2.nethosting.com"
},
"_class": "com.monarx.api.agent.model.Agent",
"id": "899a9d5057432641b13d749b95197615a28666dfe1e4431cfd91c2d8bc392a8d",
"enterprise_id": "6257fd1e-aa67-4957-b7e0-445638474a11",
"audit_created": 1589949486554
},
"_id": "899a9d5057432641b13d749b95197615a28666dfe1e4431cfd91c2d8bc392a8d",
"_score": 0
},
{
"_index": "agent-2020.05.13",
"_type": "_doc",
"_source": {
"agent": {
"fingerprint": "E26fD7C06c4b001c",
"version": "3.2.171"
},
"audit_modified": 1589949490679,
"host": {
"hostname": "vh15.nethosting.com"
},
"_class": "com.monarx.api.agent.model.Agent",
"id": "48c1fc1a8e5b260155f6ee7540325e54e8d3d91b3cf3149efb69865b5341304c",
"enterprise_id": "6257fd1e-aa67-4957-b7e0-445638474a11",
"audit_created": 1589949490679
},
"_id": "48c1fc1a8e5b260155f6ee7540325e54e8d3d91b3cf3149efb69865b5341304c",
"_score": 0
}
],
"total": 107,
"max_score": 0
},
"took": 7,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"agent"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"bool": {
"should": [
{
"range": {
"@timestamp": {
"gte": "now-8h"
}
}
},
{
"exists": {
"field": "audit_created"
}
}
]
}
}
],
"must_not": [],
"should": [],
"must": []
}
}
}
}
}
},
"condition": {
"type": "always",
"status": "success",
"met": true
},
"transform": {
"type": "script",
"status": "success",
"payload": {
"items": [
{
"agent_version": null,
"hostName": null,
"time_triggered": "2020-03-30 13:48:31",
"enterprise_id": "6257fd1e-aa67-4957-b7e0-445638474a11"
},
{
"agent_version": null,
"hostName": null,
"time_triggered": "2020-03-30 13:48:31",
"enterprise_id": "8293a152-160f-4723-bcf3-13f4e6e49900"
},
{
"agent_version": null,
"hostName": null,
"time_triggered": "2020-03-30 13:48:31",
"enterprise_id": "ddb8a1d8-f9cf-49a8-b5c6-396b9d6b39ca"
},
]
}
},
"actions": [
{
"id": "notify-slack",
"type": "slack",
"status": "simulated",
"slack": {
"message": {
"from": "mx-prod - Agent Registration",
"to": [
"#alerts"
],
"attachments": [
{
"color": "danger",
"title": "A New Agent Registered",
"text": ""
}
]
}
}
}
]
},
"messages": []
}