How to return NA in watcher alert email if field is not available

saranyav · February 6, 2018, 9:50pm

Hello,

I am trying to return a field as NA in watcher alert email if that field is not available in _source.
I am using a transform script to see if the field is available in the _source, if not I am returning NA.
Please let me know if this is the correct way of doing this.
But I am getting watcher execution error below.
Here is my watcher job and the error trace.

"actions": {
    "email_administrator": {
      "transform": {
        "script": {
          "source": "if(ctx.payload.hits.hits._source.containsKey(\"CASE_NO\")) {return ctx.payload.hits.hits._source.CASE_NO;} else {return \"NA\"}",
          "lang": "painless"
        }
      },
      "email": {
        "profile": "standard",
        "from": "' <test1@test.com>'",
        "priority": "high",
        "to": [
          "' <test2@test.com>'"
        ],
        "subject": "Test - Email template",
        "body": {
           "html": "<head><h4>Test - Email template</h4></head>{{#ctx.payload.hits.hits}}<table border=1 align=center><tbody><tr><th>Participant SSN</th><td>{{_source.SOC_SEC_NO}}</td></tr><tr><th>CASE_NO</th><td>{{key}}</td></tr><tr><th>IP Address</th><td>{{_source.REMOTE_IP_I}}</td></tr><tr><th>Geo IP location</th><td>{{_source.geoiplocation}}</td></tr></tbody></table><p></p>{{/ctx.payload.hits.hits}}"
        }
      }
    }
  }

Error excecution

"actions": [
{
"id": "email_administrator",
"type": "email",
"status": "failure",
"transform": {
"type": "script",
"status": "failure",
"reason": "ScriptException[runtime error]; nested: IllegalArgumentException[Illegal list shortcut value [_source].]; "
},
"reason": "Failed to transform payload"
}
]
},
"messages": []
}

saranyav · February 6, 2018, 10:07pm

Update:
The get below returns NA if the field is not available.
But when I use this script in the transform script , getting NULL Pointer exception.

failed to execute action []. failed to transform payload. ScriptException[runtime error]; nested: NullPointerException;

Can someone pls tell me how to loop for multiple records in transform?

GET inetvru-util-logs-model-2018-02-05/_search
{
  "query": {
    "match": {"NON_REPUD_CD": "SA"}
  },
  "script_fields": {
    "test": {
      "script": {
        "lang":"painless",
        "source":"if(params._source.containsKey(\"CASE_NO\")) {return params._source.CASE_NO;} else {return \"NA\"}"
      
      }
    
      }
  }
}

saranyav · February 7, 2018, 3:50am

Hello,

Tried to loop through the transform script like below. I am getting below error.

Watcher: An internal server error occurred

Is transform script is the right choice to show NA (in email alert) for the fields that are not available with _source? If so, Once I transform this how can I access the returned value in the email alert?

"transform": {
"script": {
"source": "for(int j=0;j<ctx.payload.hits.hits;j++){if(ctx.payload.hits.hits[j]._source.containsKey("CASE_NO")) {return ctx.payload.hits.hits[j]._source.CASE_NO} else {return "NA"}}",
"lang": "painless"
}
}

Thanks!
Saranya

spinscale · February 7, 2018, 9:12am

From the examples I read in your posts I think there is one fundamental issue, and once that is fixed, things should be more clear.

To quote Transforms | X-Pack for the Elastic Stack [6.1] | Elastic

Blockquote
A Transform processes and changes the payload in the watch execution context to prepare it for the watch actions.

The important part here is, that the word changes means, the existing payload gets overwritten. You cannot access the hits if you dont specify them in your transform. Also in your last example, you basically returned early, as soon as the first document has the key - I do think you want to create a list here?

It might make sense to check out our examples repo athttps://github.com/elastic/examples/tree/master/Alerting

saranyav · February 7, 2018, 8:36pm

Hello Alexander,

I implemented this by creating a scripted field rather than transforming the payload.
Then I accessed the scripted field as ctx.payload.hits.hits.fields.scriptedfield.
Thanks for pointing me the right direction.

 "script_fields": {
            "name": {
              "script": {
                "lang": "painless",
                "inline": "if(params._source.containsKey(\"name\")) {return params._source.name;} else {return \"N/A\"}"
              }
            }

Thanks!
SV

system · March 7, 2018, 8:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.