Hostname error in Watcher | Heartbeat

Hello,

I am trying to set a Heartbeat monitor watcher so whenever the monitor status for a host goes down, I can get an email alert with the hostname, which I am not able to set correctly. Kindly look to at the Watcher please suggest.

Watcher:

{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"heartbeat-*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-10s"
}
}
},
{
"match": {
"monitor.status": "down"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 2000,
"slack": {
"message": {
"to": [
"#watcher"
],
"text": "Warning. Host: {{ctx.payload.hits.hits.0._source.tags.0}} is down"
}
}
}
}
}

The watcher is firing but I am getting the text as "Warning. Host: beats_input_raw_event is down".

How can I get the name of hostnames in place of "beats_input_raw_event" which was actually down in the email text. Please suggest.

Hey,

instead of accessing the tags field from the first search result, you could use the beat.hostname field. Checking the search response by only executing the search instead of the watch (for example in the dev-tools console), will show you which fields are available and their path.

in the future, please properly format your snippets. This will make it much easier for people to read. You can use regular markdown here.

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.