How to call a filter/report in a watcher?

Hi,
Be indulgent plz this is my first watcher :slight_smile:
I'm trying to create a watcher in where I can:

  • call and fetch a filter/report for a specific index (stream).

The idea is to catch from received logs, of a specific duration, all the errors and send for eachone an alert by email.
I started with this example but I'm sure it's not complete:

''''
{
"trigger": {
"schedule": {
"interval": "15m"
}

},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "Test_Watcher_URL_Filter"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "error OR loglevel:ERROR"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "lte": "now-7h"
                    }
                  }
                }
              ]
            }
          },
          "_source": [
            "message"
          ],
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "foreach": "ctx.payload.hits.hits",
      "max_iterations": 100,
      "email": {
        "profile": "standard",
        "to": [
          "receiver@servermail.com"
        ],
        "subject": "Watcher Notification - Error received ",
        "body": {
          "text": " Errors have occured in the logs: ['message'].value"
        }
      }
    }
  },
  "throttle_period_in_millis": 900000
}

'''
Can you please help me to achieve this watcher creation.

Regards

Hey,

can you share exceptions/error messages and explain what is not workinfg as you expect it to work? This would help debugging tremendously. Also the output of the watcher history or the execute watch API to see what the watch us receiving would be helpful (or the error, when the watch cannot be stored)

Thank you!

--Alex

Hi Alexander and thank you for your answer.
Here's an example of an error message:
###########################
13:25:56.504 [main] ERROR com.goz.SftpConnect - Exception while getting files from server: java.lang.NullPointerException
################################################

the output of the watcher:
################################################

{
  "watch_id": "7a0bcec9-7137-4c83-a18f-6096702a1c3a",
  "node": "97StJJqISCye6eep5ihxYA",
  "state": "execution_not_needed",
  "user": "user@test.local",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2021-05-28T16:00:24.464Z"
    },
    "last_checked": "2021-06-01T13:28:24.753Z",
    "actions": {
      "send_email": {
        "ack": {
          "timestamp": "2021-05-28T16:00:24.464Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": **"execution_not_needed",**
    "version": -1
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2021-06-01T13:28:24.753Z",
    "schedule": {
      "scheduled_time": "2021-06-01T13:28:24.467Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logs"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "error OR loglevel:ERROR"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-15mn"
                    }
                  }
                }
              ]
            }
          },
          "_source": [
            "message"
          ],
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "metadata": {
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2021-06-01T13:28:24.753Z",
    "execution_duration": 2,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 0,
          "failed": 0,
          "successful": 0,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 0,
          "max_score": 0
        },
        "took": 2,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "logs"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "query": {
              "bool": {
                "must": [
                  {
                    "query_string": {
                      "query": "error OR loglevel:ERROR"
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-7h"
                      }
                    }
                  }
                ]
              }
            },
            "_source": [
              "message"
            ],
            "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ]
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 0
        }
      }
    },
    "actions": []
  },
  "messages": []
}
`''
#########################################

So what I'm expecting is receiving for each error an email with the content of the "message" field.
For now, all execution are returning "execution not needed" status.

Hope my answer is helpfull.

Regards

You can see in the watch output, that the condition was not met, because your search did not return any result. So the watch works as expected, but maybe something with your query is wrong?

This is exactly the help I'm needing :slight_smile:
I've tried many requests, followed the offial documentation, but got each time the same answer,

              "must": [
                {
                  "query_string": {
                    "query": "error OR loglevel:ERROR"
                  }
                },

If you can tell me where I've mistaken or at least an example of a code that works I'll be gratefull.

Kind Regards

can you run the query without the watch and see if it returns any data?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.