How to index all fields using index action type in Watchers transform?

kelk · August 29, 2020, 11:12am

hi friends,
Currently we were alerting via email as part of watcher which makes false positives to a greater degree. So I was thinking to index all the watcher outcomes into an index and control from there. I saw bit of "painless" script on determining what needs to be put into index etc. But the challenge for me is to "Index" all fields coming out of a requirement

For example my watcher logic is to aggregated count of alerts per OS, per host, per region, I want all those 4 fields to be index. In similar way another watcher will have other set of outcomes which also needs to be put into the same index. How to ensure ALL the outcomes are caputred in the "painless" transform script while indexing ?

So ideally looking for:

"transform": {
     "script": "return [ '_doc' : ctx.payload.all_fields_used_in_above_search ]"
},

warkolm · September 1, 2020, 6:15am

I don't know how to do this with Alerting, but why not run a rollup job that puts it into a new index and then alert from that?

system · September 29, 2020, 6:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher results into new index Elasticsearch elastic-stack-alerting	3	916	September 19, 2019
Accessing fields in watcher with transform actions Elasticsearch	1	480	May 28, 2020
Help with Advanced Watcher Elasticsearch elastic-stack-alerting	3	406	December 30, 2019
Cannot Transform with Watcher's For Each Functionality Kibana painless	2	317	November 4, 2021
7.9 Watcher bug - Cannot save Watchers with an index set via a transform Elasticsearch elastic-stack-alerting	2	593	October 1, 2020

How to index all fields using index action type in Watchers transform?

Related topics