How to create a watch that email specific field from input index?

Elastic Stack Elasticsearch
1

Hi,
I wanna include some filed from index to email body of action how I can do that?

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "my_name@my_domain",
"subject" : "error filebeat Status Warning",
"body" : " want to include matching lines from index here"
}
}
}
}'

2

Hey,

you can access parts of your search by accessing ctx.payload and using the mustache scripting language. The first example in the watcher docs about the email action already includes an example.

--Alex

3

Thanks Alex for promt response.
My index has fields like beat.hostname, syslog_message and some more
how I can include only these two fields?

4

Hey,

by directly specify those fields in the body field of your email action. Please ask more concrete questions with an example to get more help - it is hard to find out what exactly you intend to do. If you need to know how to access search hits, check out the search input docs, which has an example.

Hope this helps!

--Alex

5

Hi Alex,
Thanks Thats what actually Iam looking for
my watch works with "body" : " Error {{ctx.payload.hits.hits.0}} "
however this ddint wok
"body" : " Host name {{ctx.payload.hits.hits.0.fields.received_from}} "
what could be the reason?

6

COmplete watch
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.08.02" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "my_name@my_domain",
"subject" : "filebeat Status Warning",
"body" : " Host name {{ctx.payload.hits.hits.0}} "
}
}
}
}'

7

You will need to access the _source field to access the data you want. Please run the search manually, as it shows your the path to the JSON you want to extract.

--Alex

8

Hi Alex,
Thank you for support.
I am new to elastic packages
could you please send me the relavant documents for that ?

9

HI,
Can you provide a example of complete watcher that send mail from input inex fields ?

10

hi

You can access all the elastic packages from the download pages here: https://www.elastic.co/downloads

Also the watcher documentation is here: https://www.elastic.co/guide/en/watcher/current/index.html

Hope this helps.

--Rashmi

11

Hi,
Thanks Rashmi. But I am looking for more specific

I used this watcher to send alert, but It doesnt have all the records. when I checked through kibana It contain more records.
what could be the reason ?
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.08.31" ],
"body" : {
"query" : {
"match" : { "message": "uat" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "muname@mydoamin",
"subject" : "filebeat Status Warning",
"body" : "{{ctx.payload}}"
}
}
}
}'

and I used this to get first hit
" "body" : "{{ctx.payload.hits.hits.0}}" "

How can i get only the latest hit? most recent one ?

12

Hey,

you need to sort your search request by timestamp, then the first hit will always be the latest.

--Alex

13

Hi Alex,
Thank you very much.
with this I could get latest hit
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "30s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.09.06" ],
"body" : {
"query" : {
"match" : { "message": "failure" }
},

"sort":
{ "syslog_timestamp": { "order": "desc" }}

    }
  }
}

},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "R@mydomain",
"subject" : "filebeat Statussys log_message failure ",
"body" : "{{ctx.payload.hits.hits.0}}"
}
}
}
}'

Is there anyway I can format the output (email body) ? As of now alert is not user friendly.

Thanks
Ruchira

14

Hey,

you can use newlines or just use HTML for more custom formatting, see how to configure email attachments.

--Alex

15

Thanks Alex.
Will check on that.

16

HI Alex,
How I can attach only the first hit ?
Thanks

17

HI,
I can get the last hit using specific index name, but when I use wildcast for index name it shows me old result not the latest.
In my system I have seperate index for everyday (filebeat-2016.09.08).

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "20s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"match" : { "message": "Fail event detected" }
},

"sort":
{ "syslog_timestamp": { "order": "desc" }}

    }
  }
}

},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "myname@mydoain",
"subject" : "syslog critical event detected attched 09 ",
"body" : "{{ctx.payload.hits.hits.0}}",

"attachments" : {
"attached_data" : {
"data" : {
"format" : "json"
}
}
},
"priority" : "high"

  }
}

}
}'

How I can resolve this ?

18

Hey,

how does the syslog timestamp look like? is it possible that it does not contain a year and thus is hard to sort correctly as it is not a unique timestamp but reoccurs every 24 hours?

--Alex