I am attempting to pull information from a Watcher query payload to place in an email and I am getting a "index out of bounds exception"

Here is my query and action:

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"term": {
"event_id": "1116"
}
},
"filter": {
"range": {
"@timestamp": {
"from": "now-1m"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"example@company.com"
],
"subject": "Threat Detected: {{ctx.payload.hits.hits.0._source.computer_name}}",
"body": {
"text": "Windows Defender detected the following threat:"
}
}
}
}
}

Here is the execution output for the error:

"actions": [
{
"id": "send_email",
"type": "email",
"status": "failure",
"error": {
"root_cause": [
{
"type": "general_script_exception",
"reason": "Error running com.github.mustachejava.codes.DefaultMustache@6904158d"
}
],
"type": "general_script_exception",
"reason": "Error running com.github.mustachejava.codes.DefaultMustache@6904158d",
"caused_by": {
"type": "mustache_exception",
"reason": "Failed to get value for ctx.payload.hits.hits.0._id @[query-template:1]",
"caused_by": {
"type": "mustache_exception",
"reason": "0 @[query-template:1]",
"caused_by": {
"type": "index_out_of_bounds_exception",
"reason": "0"
}
}
}
}
}
]
},

your query uses size: 0, thus not resulting any JSON sources, but you try to access those in the mustache template, when sending an email, causing this issue.

--Alex

Thanks, exactly what i needed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.