Include Fields in Watcher Email Alert

From the below API output of my watcher i can only include {{ctx.metadata.name}} in email subject and body . If i try to include any other feild such as {{ctx.payload.hits.total}},{{ctx.metadata.name.xpack.type}} , {{#ctx.payload.aggregations.bucketAgg.buckets}}{{key}}{{/ctx.payload.aggregations.bucketAgg.buckets}} nothing gets captured in email body/subject.

{
  "watch_id": "_inlined_",
  "node": "_h4xl2ByQ6eIwhyhzRdUYA",
  "state": "executed",
  "user": "xxxxxxx@qwerty.com",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2022-07-17T13:44:25.537Z"
    },
    "last_checked": "2022-07-17T13:44:25.537Z",
    "last_met_condition": "2022-07-17T13:44:25.537Z",
    "actions": {
      "email_1": {
        "ack": {
          "timestamp": "2022-07-17T13:44:25.537Z",
          "state": "ackable"
        },
        "last_execution": {
          "timestamp": "2022-07-17T13:44:25.537Z",
          "successful": true
        },
        "last_successful_execution": {
          "timestamp": "2022-07-17T13:44:25.537Z",
          "successful": true
        }
      }
    },
    "execution_state": "executed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2022-07-17T13:44:25.537Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2022-07-17T13:44:25.537Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "zyz-connector-log-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-20d",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "alertCode",
                "size": 5,
                "order": {
                  "_count": "desc"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].doc_count > params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 10
      }
    }
  },
  "metadata": {
    "name": "ThreasholdBreachedNew",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2022-07-17T13:44:25.537Z",
    "execution_duration": 1,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 1,
          "failed": 0,
          "successful": 1,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 75,
          "max_score": null
        },
        "took": 1,
        "timed_out": false,
        "aggregations": {
          "bucketAgg": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "doc_count": 53,
                "key": "ALERT_Email"
              },
              {
                "doc_count": 21,
                "key": "ALERT_EWS_Overall"
              },
              {
                "doc_count": 1,
                "key": "ALERT_EWS_FindFolders"
              }
            ]
          }
        }
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "zyz-connector-log-*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "2022-07-17T13:44:25.53776959Z||-20d",
                      "lte": "2022-07-17T13:44:25.53776959Z",
                      "format": "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              }
            },
            "aggs": {
              "bucketAgg": {
                "terms": {
                  "field": "alertCode",
                  "size": 5,
                  "order": {
                    "_count": "desc"
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "script",
      "status": "success",
      "met": true
    },
    "transform": {
      "type": "script",
      "status": "success",
      "payload": {
        "results": [
          {
            "value": 53,
            "key": "ALERT_Email"
          },
          {
            "value": 21,
            "key": "ALERT_EWS_Overall"
          }
        ]
      }
    },
    "actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__477c0d59-3a95-4e8c-8e41-f509464a2a78-2022-07-17T13:44:25.53778149Z_34",
            "sent_date": "2022-07-17T13:44:25.539894706Z",
            "to": [
              "xxxxxxx@qwerty.com"
            ],
            "subject": "Watch [ThreasholdBreachedNew] has exceeded the threshold ",
            "body": {
              "text": "Hi Team,\n\nKindly note the  has been exceeded in last 5 mintutes.\n\n"
            }
          }
        }
      }
    ]
  },
  "messages": []
}

You need a transform block in the actions section to build a data structure that you can easily iterate through using the mustache syntax (the {{#ctx.payload..... stuff). See an example here, starting on line 98:

I tried but i got the error canot parse "transform" in action.

oh sorry - you're the same person asking in the other thread. I didn't notice at first.

If you got a "cannot parse" error perhaps your copy/paste picked up extraneous characters. Try using the "raw" version:

https://gist.githubusercontent.com/richcollier/31e4de8773d6f9183a6cf4799836b8e0/raw/2225ebcaec506d10c1eb546dd7fadab9cd09179e/alert_on_three_consecutive_anomalies.txt

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.