Help with webhook action body format

devans · July 30, 2017, 1:11pm

I'm having problems formatting the json correctly in the body of a webhook action. I'm trying to index a new document into a different index.

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "term": {
                    "host": "{{ctx.metadata.monitor_host}}"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lt": "now"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "actions": {
    "index_healthy": {
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
             "gt": 0
          }
        }
      },
      "webhook": {
        "method": "POST",
        "host": "192.168.100.101",
        "port": 9200,
        "path": "/health-{now/d}/server/",
        "body": "{
          \"@timestamp\": \"{{now}}\",
          \"host\": \"{{ctx.metadata.monitor_host}}\",
          \"healthscore\": 0
        }",
        "auth": {
          "basic": {
            "username": "<username>",
            "password": "<password>"
          }
        }
    },
    "send_email": {
      "condition": {
    	"compare": {
      	   "ctx.payload.hits.total": {
        	"lte": 0
           }
    	}
      },
      "throttle_period_in_millis": 1800000,
      "transform": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "metricbeat-*"
            ],
            "types": [],
            "body": {
              "size": 0,
              "query": {
                "bool": {
                  "filter": {
                    "term": {
                      "host": "{{ctx.metadata.monitor_host}}"
                    }
                  }
                }
              }
            }
          }
        }
      },
      "email": {
        "profile": "standard",
        "to": [
          "admin@example.com"
        ],
        "subject": "ALERT: {{ctx.metadata.monitor_host}} Server Not Responding",
        "body": {
          "html": "{{ctx.metadata.monitor_host}} Not Responding"
        }
      }
    }
  },
  "metadata": {
    "monitor_host": "serverA.example.com",
    "last_period": "5m",
    "window_period": "24h"
  }
}

spinscale · July 31, 2017, 6:19am

Hey,

as body is a string field, the easiest way to create properly formatted JSON is to use a script transform in your action to basically create the JSON structure. You can then use the #toJson directive to convert this easily into JSON.

One more thing: currently your path is configured wrong. How is Elasticsearch supposed to know that the / sign or the now/d expression is supposed to be escaped but the others are not? It's not, so you have to URL encode special chars like < > { } / yourself before sending that data.

Hope that helps!

Also in order to debug issues further, please paste the output of the execute watch API here, that allows to follow the execution path.

--Alex

devans · August 8, 2017, 12:07pm

Hi Alex,

Thank you. The script transform worked. I did switch from using a webhook action to using a index action. Everything works, except I can't figure out how to create a dynamic index name with a date.

Below is the action that works with a static index name. I've tried URL encoding the index name and using a mustache template, but both throw an illegal character error.

"index_healthy": {
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gt": 0
          }
        }
      },
      "transform": {
        "script": {
          "inline": "return ['@timestamp':ctx.trigger.triggered_time,'host':ctx.metadata.monitor_host,'healthscore':0, 'type': 'server']",
          "lang": "painless"
        }
      },
      "index": {
        "index": "health",
        "doc_type": "doc"
      }
    },

spinscale · August 8, 2017, 12:23pm

Hey,

you can leverage the date math support in index names. Just specify something like <logstash-{now/d}> in the index name and Elasticsearch will do all the lookup work.

Hope this helps!

--Alex

devans · August 8, 2017, 3:01pm

Thank you Alex. This worked. I had missed the <> around the index name previously.

system · September 5, 2017, 3:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.