I am writing a watcher, to first fetch destination.ip field (using aggregation), and then I have to use 1st input result for terms query value (in 3rd input)
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"indices": [
"test-index"
],
"body": {
"size": 0,
"aggs": {
"destination_ip_aggs": {
"terms": {
"field": "destination.ip",
"size": 2
}
}
}
}
}
}
}
},
{
"second": {
"transform": {
"script": {
"lang": "painless",
"source": """
List ips = new ArrayList();
for(def bucket: ctx.payload.first.aggregations.destination_ip_aggs.buckets) {
ips.add(bucket.key)
}
return ips;
"""
}
}
}
},
{
"third": {
"search": {
"request": {
"indices": [
"test-index"
],
"body": {
"query": {
"terms": {
"source.ip": [
"{{ctx.payload.second._value}}"
]
}
}
}
}
}
}
}
]
}
},
"actions": {
"log_error": {
"logging": {
"text": "{{ctx.payload.second._value}}"
}
}
}
}
}
The watcher output is like
"chain" : {
"first" : {
"type" : "search",
"status" : "success",
"payload" : {
"_shards" : {
"total" : 1,
"failed" : 0,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"hits" : [ ],
"total" : 2,
"max_score" : null
},
"took" : 1,
"timed_out" : false,
"aggregations" : {
"destination_ip_aggs" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"doc_count" : 1,
"key" : "10.20.70.200"
},
{
"doc_count" : 1,
"key" : "10.20.70.210"
}
]
}
}
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"test-index"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"aggs" : {
"destination_ip_aggs" : {
"terms" : {
"field" : "destination.ip",
"size" : 2
}
}
}
}
}
}
},
"second" : {
"type" : "transform",
"status" : "success",
"payload" : {
"_value" : [
"10.20.70.200",
"10.20.70.210"
]
}
},
"third" : {
"type" : "search",
"status" : "failure",
"error" : {
"root_cause" : [
{
"type" : "query_shard_exception",
"reason" : "failed to create query: '{0=10.20.70.200, 1=10.20.70.210}' is not an IP string literal.",
"index_uuid" : "cH54bWHPTa2V2i9SskRPhw",
"index" : "test-index"
}
],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [
{
"shard" : 0,
"index" : "test-index",
"node" : "5sTXsEnqRFabKkXTrUiPBA",
"reason" : {
"type" : "query_shard_exception",
"reason" : "failed to create query: '{0=10.20.70.200, 1=10.20.70.210}' is not an IP string literal.",
"index_uuid" : "cH54bWHPTa2V2i9SskRPhw",
"index" : "test-index",
"caused_by" : {
"type" : "illegal_argument_exception",
"reason" : "'{0=10.20.70.200, 1=10.20.70.210}' is not an IP string literal."
}
}
}
]
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"test-index"
],
"rest_total_hits_as_int" : true,
"body" : {
"query" : {
"terms" : {
"source.ip" : [
"{0=10.20.70.200, 1=10.20.70.210}"
]
}
}
}
}
}
}
}
How can I use the second input value, in the third input (for terms query)? I tried to transform the data again, but still not able to get it in the correct list format.
Can anyone please help me resolve this ?