Hello!
I have an issue when trying to set an elasticsearch watcher.
Here is the part of its config:
"input": {
"chain": {
"inputs": [
{
"**first**": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
.....
"**second**": {
"transform": {
"script": {
"source": "def last_period=ctx.payload.first.aggregations.periods.buckets.last_period.hosts.buckets.stream().map(e -> e.key).collect(Collectors.toList()); return ctx.payload.first.aggregations.periods.buckets.history.hosts.buckets.stream().map(e -> e.key).filter(p -> !last_period.contains(p)).collect(Collectors.toList());",
"lang": "painless"
}
}
}
},
....
{
"**third**": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"checkpointt*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.last_period}}"
}
}
},
{
"terms": {
"src_address": [
"{{#ctx.payload.second._value}}{{.}}",
"{{/ctx.payload.second._value}}"
]
}
}
],
Most interesting part of it - **third**
When I try to execute this query search error happens:
failed to create query: '' is not an IP string literal.
After step second I have a normal array of items like
[ "1.1.1.1", "2.2.2.2", "8.8.8.8" ], and after third it converts to something like:
"1.1.1.1",
"2.2.2.2",
"8.8.8.8",
""
Why the last empty element of array - "" appeared? How to remove it?