How to create a watch that email specific field from input index?

alerting

(ruchira) #1

Hi,
I wanna include some filed from index to email body of action how I can do that?

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "my_name@my_domain",
"subject" : "error filebeat Status Warning",
"body" : " want to include matching lines from index here"
}
}
}
}'


(Alexander Reelsen) #2

Hey,

you can access parts of your search by accessing ctx.payload and using the mustache scripting language. The first example in the watcher docs about the email action already includes an example.

--Alex


(ruchira) #3

Thanks Alex for promt response.
My index has fields like beat.hostname, syslog_message and some more
how I can include only these two fields?


(Alexander Reelsen) #4

Hey,

by directly specify those fields in the body field of your email action. Please ask more concrete questions with an example to get more help - it is hard to find out what exactly you intend to do. If you need to know how to access search hits, check out the search input docs, which has an example.

Hope this helps!

--Alex


(ruchira) #5

Hi Alex,
Thanks Thats what actually Iam looking for
my watch works with "body" : " Error {{ctx.payload.hits.hits.0}} "
however this ddint wok
"body" : " Host name {{ctx.payload.hits.hits.0.fields.received_from}} "
what could be the reason?


(ruchira) #6

COmplete watch
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.08.02" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "my_name@my_domain",
"subject" : "filebeat Status Warning",
"body" : " Host name {{ctx.payload.hits.hits.0}} "
}
}
}
}'


(Alexander Reelsen) #7

You will need to access the _source field to access the data you want. Please run the search manually, as it shows your the path to the JSON you want to extract.

--Alex


(ruchira) #8

Hi Alex,
Thank you for support.
I am new to elastic packages
could you please send me the relavant documents for that ?


(ruchira) #9

HI,
Can you provide a example of complete watcher that send mail from input inex fields ?


(kulkarni) #10

hi

You can access all the elastic packages from the download pages here: https://www.elastic.co/downloads

Also the watcher documentation is here: https://www.elastic.co/guide/en/watcher/current/index.html

Hope this helps.

--Rashmi


(ruchira) #11

Hi,
Thanks Rashmi. But I am looking for more specific

I used this watcher to send alert, but It doesnt have all the records. when I checked through kibana It contain more records.
what could be the reason ?
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.08.31" ],
"body" : {
"query" : {
"match" : { "message": "uat" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "muname@mydoamin",
"subject" : "filebeat Status Warning",
"body" : "{{ctx.payload}}"
}
}
}
}'

and I used this to get first hit
" "body" : "{{ctx.payload.hits.hits.0}}" "

How can i get only the latest hit? most recent one ?


(Alexander Reelsen) #12

Hey,

you need to sort your search request by timestamp, then the first hit will always be the latest.

--Alex


(ruchira) #13

Hi Alex,
Thank you very much.
with this I could get latest hit
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "30s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-2016.09.06" ],
"body" : {
"query" : {
"match" : { "message": "failure" }
},

"sort":
{ "syslog_timestamp": { "order": "desc" }}

    }
  }
}

},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "R@mydomain",
"subject" : "filebeat Statussys log_message failure ",
"body" : "{{ctx.payload.hits.hits.0}}"
}
}
}
}'

Is there anyway I can format the output (email body) ? As of now alert is not user friendly.

Thanks
Ruchira


(Alexander Reelsen) #14

Hey,

you can use newlines or just use HTML for more custom formatting, see how to configure email attachments.

--Alex


(ruchira) #15

Thanks Alex.
Will check on that.


(ruchira) #16

HI Alex,
How I can attach only the first hit ?
Thanks


(ruchira) #17

HI,
I can get the last hit using specific index name, but when I use wildcast for index name it shows me old result not the latest.
In my system I have seperate index for everyday (filebeat-2016.09.08).

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : { "schedule" : { "interval" : "20s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"match" : { "message": "Fail event detected" }
},

"sort":
{ "syslog_timestamp": { "order": "desc" }}

    }
  }
}

},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "myname@mydoain",
"subject" : "syslog critical event detected attched 09 ",
"body" : "{{ctx.payload.hits.hits.0}}",

"attachments" : {
"attached_data" : {
"data" : {
"format" : "json"
}
}
},
"priority" : "high"

  }
}

}
}'

How I can resolve this ?


(Alexander Reelsen) #18

Hey,

how does the syslog timestamp look like? is it possible that it does not contain a year and thus is hard to sort correctly as it is not a unique timestamp but reoccurs every 24 hours?

--Alex


(system) #19