How to print a Field value in a Watch

addanuj · May 14, 2018, 7:12am

==================Index output====================================
{
  "took": 590,
  "timed_out": false,
  "_shards": {
    "total": 10,
    "successful": 9,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 182288644,
    "max_score": 1,
    "hits": [
      {
        "_index": "logstash-ossec-2018.05.02",
        "_type": "doc",
        "_id": "iD9CHmMBSutjJDB7Oh9L",
        "_score": 1,
        "_source": {
          "rule": {
            "description": "Windows Logon Success.",
            "firedtimes": 40368,
            "pci_dss": [
              "10.2.5"
            ],
            "mail": false,
            "id": "18107",
            "level": 3,
            "groups": [
              "windows",
              "authentication_success"
            ]
          },
===============================================================

======================Watch===================================
{
  "trigger": {
"schedule": {
  "interval": "5s"
}
  },
  "input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "logstash-ossec-*"
    ],
    "types": [],
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "rule.description": "sshd: Attempt to login using a nodn-existent user"
              }
            },
            {
              "match_phrase": {
                "rule.description": "Windows: Logon Failure - Unknown user or bad password"
              }
            }
          ],
          "minimum_should_match": 1,
          "filter": {
            "range": {
              "@timestamp": {
                "gte": "now-7d"
              }
            }
          }
        }
      }
    }
  }
}
  },
  "condition": {
"compare": {
  "ctx.payload.hits.total": {
    "gte": 1
  }
}
  },
  "actions": {
"my-logging-action": {
  "logging": {
    "level": "info",
    "text": "There are {{ctx.payload.hits.hits._source.description}} Attempts in last 10 Minutes."
  }
}
  }
}

====================actions output==============================
"actions": [
  {
    "id": "my-logging-action",
    "type": "logging",
    "status": "success",
    "logging": {
      "logged_text": "There are  Attempts in last 10 Minutes."
    }
  }
]
  },
  "messages": []
}

I want to print Description field value which i am not able to ... please help.

spinscale · May 14, 2018, 7:30am

please take the time to properly format your messages. You can use markdown in here to properly format code snippets so please do so - this is nearly impossible to read.

Using {{ctx.payload.hits.hits._source.description}} does not take into account that ctx.payload.hits.hits is an array. If you just want to know how many documents matched your query, use ctx.payload.hits.total, if you need to access an element inside of the hits array, use the index to access it: {{ctx.payload.hits.hits.0._source.description}}

hope this helps.

addanuj · May 14, 2018, 8:01am

now i am getting this error:

"caused_by": {
            "type": "mustache_exception",
            "reason": "Failed to get value for ctx.payload.hits.hits.0.rule.description @[query-template:1]",

spinscale · May 14, 2018, 9:02am

you are missing the _source field reference here. Please take your time to compare the JSON of your response with the fields you are trying to access, as it needs to be exact.

system · June 11, 2018, 9:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.