How to append dynamic field without affecting original payload?

YuWatanabe · January 18, 2018, 8:12am

Hello

I would like to get help with Alerting in x-pack.

I want to create a dynamic field which calculates search start time using ctx.trigger.scheduled_time . I thought this can be achieved by using transform but since transform overwrites the original payload it does not work.

How can I append new field? I am imagining assigning a new field , search_start_time, with below calculation.

Instant.ofEpochMilli(ctx.trigger.scheduled_time.getMillis()).plus(Duration.ofDays(-1));

My current watch definition is below.

{
  "metadata" : {
    "id" : "TEST_1",
    "scenario" : "TEST",
    "interval" : "1"
  },
  "trigger" : { "schedule" : { "interval" : "10s" }},
  "input" : {
      "search" : {
        "request" : {
          "indices" : [ "sample" ],
          "body" : {
            "query" : {
              "bool" : {
                "must" : [
                  { "match" : { "message": "session opened for user" } },
                  { "range" : { "@timestamp" : { "gte" : "{{ctx.trigger.scheduled_time}}||-{{ctx.metadata.interval}}M", "lt"  : "{{ctx.trigger.scheduled_time}}", "format" : "strict_date_optional_time" } } }
                ]
              }
            },
            "aggs" : {
              "usercount" : {
                "terms" : {
                  "field" : "user"
                },
                "aggs" : {
                  "host" : {
                    "terms" : {
                      "field" : "host"
                    }
                  }
                }
              }
            }
          }
        }
      }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "transform" : {
      "script" : "ArrayList arrL = new ArrayList(); def dc ; def k_user; def k_host ; for ( int i = 0  ; i < ctx.payload.aggregations.usercount.buckets.length ; i++  ) { dc = ctx.payload.aggregations.usercount.buckets[i].doc_count; k_user = ctx.payload.aggregations.usercount.buckets[i].key; for ( int j = 0 ; j < ctx.payload.aggregations.usercount.buckets[i].host.buckets.length ; j++ ) { k_host = ctx.payload.aggregations.usercount.buckets[i].host.buckets[j].key; arrL.add( k_user + ' ' + dc.toString() + ' ' + k_host ); } } return arrL;"
    },
    "send_email" : {
      "email" : {
        "account" : "standard_account",
        "to" : "yu.w.tennis@gmail.com",
        "subject" : "TEST",
        "body" : "{{ctx.payload.hits.total}} error logs found\n\nScenarioID : {{ctx.metadata.id}}\nScenario : {{ctx.metadata.scenario}}\nSearch Period : {{ctx.payload}}\n {{#ctx.payload._value}}{{.}}\n\n{{/ctx.payload._value}}"
      }
    }
  }
}

spinscale · January 18, 2018, 8:25am

hey,

you can just append the original payload again like this

def payload = ctx.payload;
payload.foo = 'bar';
return payload

Hope this helps.

--Alex

YuWatanabe · January 18, 2018, 8:42am

Thank you . It worked!

system · February 15, 2018, 8:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.