Getting parse exception on a Watch that works in a previous version of elastic

ElasticLiver · June 8, 2020, 4:52pm

Hi, im getting this error when I test my watch

parse_exception :
"reason" : "please wrap watch including field [trigger] inside a "watch" field"

the alerts are sended to microsoft teams
this is my watch:

PUT _watcher/watch/my_watch/_execute
{
    "trigger": {
        "schedule": {
            "interval": "5m"
        }
    },
    "input": {
        "search": {
            "request": {
                "body": {
                    "size": 0,
                    "query": {
                        "bool": {
                            "filter": {
                                "range": {
                                    "@timestamp": {
                                        "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                                        "lte": "{{ctx.trigger.scheduled_time}}",
                                        "format": "strict_date_optional_time||epoch_millis"
                                    }
                                }
                            }
                        }
                    }
                },
                "indices": [
                    "metrics-*"
                ]
            }
        }
    },
    "condition": {
        "script": {
            "source": "if (ctx.payload.hits.total <= params.threshold) { return true; } return false;",
            "params": {
                "threshold": 0
            }
        }
    },
    "transform": {
        "script": {
            "source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
            "lang": "painless",
            "params": {
                "threshold": 0
            }
        }
    },
    "actions": {
        "webhook_teams": {
            "webhook": {
                "scheme": "https",
                "host": "outlook.office.com",
                "port": 443,
                "method": "post",
                "path": "/webhook/...",
                "params": {},
                "headers": {
                    "Content-Type": "application/json"
                },
                "body": "{{#toJson}}ctx.payload{{/toJson}}"
            }
        }
    }
}

I have it working in another older version of elastic, 7.5.1.....in version 7.6 doesnt work

Any suggestions?

alisongoryachev · June 11, 2020, 3:48pm

Hi @ElasticLiver!

If you are executing an existing watch you only need to include the watch id in the request.

POST _watcher/watch/my_watch/_execute

Alternatively, you can define a watch in the request body.

POST _watcher/watch/_execute
{
  "watch" : {
   {
    "trigger": {
        "schedule": {
            "interval": "5m"
        }
    },
    "input": {
        "search": {
            "request": {
                "body": {
                    "size": 0,
                    "query": {
                        "bool": {
                            "filter": {
                                "range": {
                                    "@timestamp": {
                                        "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                                        "lte": "{{ctx.trigger.scheduled_time}}",
                                        "format": "strict_date_optional_time||epoch_millis"
                                    }
                                }
                            }
                        }
                    }
                },
                "indices": [
                    "metrics-*"
                ]
            }
        }
    },
    "condition": {
        "script": {
            "source": "if (ctx.payload.hits.total <= params.threshold) { return true; } return false;",
            "params": {
                "threshold": 0
            }
        }
    },
    "transform": {
        "script": {
            "source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
            "lang": "painless",
            "params": {
                "threshold": 0
            }
        }
    },
    "actions": {
        "webhook_teams": {
            "webhook": {
                "scheme": "https",
                "host": "outlook.office.com",
                "port": 443,
                "method": "post",
                "path": "/webhook/...",
                "params": {},
                "headers": {
                    "Content-Type": "application/json"
                },
                "body": "{{#toJson}}ctx.payload{{/toJson}}"
            }
        }
    }
}
  }
}

For more information, please check out the docs: https://www.elastic.co/guide/en/elasticsearch/reference/7.5/watcher-api-execute-watch.html

system · July 9, 2020, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher Error is Parse Exception, unexpected field Kibana	4	690	April 2, 2019
Watcher Parse Exception Unknown Input Type Condition Elasticsearch elastic-stack-alerting	2	1405	October 25, 2018
Watcher parse_exception (actions proxy.host) Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	7	2310	February 25, 2019
After upgrade to Elastic 6.7, watcher execution fails to parse ctx.trigger.triggered_time in watcher query Elasticsearch elastic-stack-alerting	5	722	May 22, 2019
Problem creating Watch - unable to parse [search] input Elasticsearch elastic-stack-alerting	3	2742	July 6, 2017

Getting parse exception on a Watch that works in a previous version of elastic

Related topics