Help with Watcher Script Transform

uklipse · March 8, 2019, 2:47am

I am trying to pass some data from a watcher to another index. I was looking to use the Script Transform with Index Action to insert data from the watch. With this code, I'm getting a "could not parse action [inlined/transform]. unknown action type [script]" error.

Any ideas?

   "actions": {
      "transform" : {
         "script" : {
            "inline" : "return ['@timestamp':ctx.triggered_time]", 
            "lang" : "painless"
         }
      },
      "index" : {
         "index" : "alerts-*",
         "doc_type" : "doc"
          }
        }

rashmi · March 8, 2019, 5:35pm

@Alexander_Reelsen - an you please help here ?

Thanks
Rashmi

uklipse · March 9, 2019, 4:22am

Here is the full code if it helps.

POST _xpack/watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1m"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices" : [
            "winlogs-*"
            ],
          "body": {
            "size": 3,
            "query": {
              "bool": {
                "must" : [{
                  "match" : {
                     "event_id" : "4624" 
                     }
                  }, {
                  "range" : {
                     "@timestamp" : {
                        "gte" : "now-1h" 
                     }
                   }
                }]
                }
               },
               "aggs" : {
                 "workstation" : {
                   "terms": {
                     "field" : "event_data.WorkstationName"
                 }
                  }
                 }
               }
             }
          }
        },
        "condition" : {
          "compare" : {
            "ctx.payload.aggregations.workstation.buckets.0.doc_count" : {"gt" : 6}
          }
        },
       "actions": {
          "transform" : {
             "script" : {
                "inline" : "return ['@timestamp':ctx.triggered_time]", 
                "lang" : "painless"
             }
          },
          "index" : {
             "index" : "alerts-*",
             "doc_type" : "doc"
              }
            }
          }
      }

system · April 6, 2019, 4:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.