How to include the hostname and location of the log within Watcher alerts?

Hi,

I have a working watcher alert which I would like to update and include the hostname and path info within the same message - but I can't seem to get the correct syntax!!

Currently, I have the following working:

"body": {

        "html": "There were {{ctx.payload.hits.total}} matches of \"some error string\" within the last N minutes at {{ctx.execution_time}}.<br><br>Here is an example message found:<br><br> {{ctx.payload.hits.hits.0._source.message}}<br><br>." 

}

Supposing, if {{host}} and {{path}} would work, I'd like the above message to read as: "There were {{ctx.payload.hits.total}} matches of "some error string" within the last N minutes on {{host}} at {{ctx.execution_time}}.

Here is an example message found:

{{ctx.payload.hits.hits.0._source.message}}

Please check the {{path}}."

Can someone please suggest how it can be done? Thanks in advance!

Hey,

I am sorry, but I was not able to extract your exact question from the post. Can you please include a sample document of your search and what you would like to extract from that? If it is just about extracting a field, you already used ctx.payload.hits.hits.0._source.message to access a field in the body. If you want to extract the hostname and the path from this field, you have to do that before indexing and not during watch execution.

--Alex

Hi Alex,

thank you for the tip - I was able to retrieve the hostname and path info in the same way as the message, using ctx.payload.hits.hits.0._source.host and ctx.payload.hits.hits.0._source.path, which were already defined.

~elkuser