Index action - create document

rickdegreef · April 26, 2018, 1:57pm

Hi,

We're trying to create a new document in the "action" part. We would like to index this document in the alert-index. We're trying this:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "pymon*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "type": "microsoft.insights/components"
                }
              },
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "date_time": {
                          "gte": "now-5m/m"
                        }
                      }
                    },
                    {
                      "range": {
                        "requests/duration": {
                          "gte": 1
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
"throttle_period_in_millis": 900000,
  "actions": {
      "enterpriseAlert": {
          "webhook": {
              "scheme": "https",
              "host": "enterprisealert.arxus.eu",
              "port": 443,
              "method": "post",
              "path": "eawebservice/rest/events?apiKey=w5shm3kx0wlafe28lv6g43dh50idip3u",
              "params": {},
              "headers": {},
              "body": "title:there are {{ctx.payload.hits.total}} problems with AppInsights in Azure., type:backup/protectedItems, body:{ {{#ctx.payload.hits.hits}} client_name:{{_source.client_name}}, billing_id:{{_source.billing_id}}, object_name:{{_source.name}}, requests/duration:{{_source.requests/duration}},{{/ctx.payload.hits.hits}} }"
      }
    },
    "index_payload":{
        "index":{
            "index":"alert",
            "doc_type":"doc",
            "resource":"AppInsights",
            "total_errors":"{{ctx.payload.hits.total}}",
            "classification":"P2",
            "client_names_and_appnames":"{{#ctx.payload.hits.hits}}{{_source.client_name}} - {{_source.name}}; {{/ctx.payload.hits.hits}}",
            "date_time":"now"
        }
    }
  }
}

And when we're trying to simulate the action "index_payload" we're getting the following error:

What are we doing wrong?

spinscale · April 26, 2018, 2:38pm

See https://www.elastic.co/guide/en/x-pack/6.2/actions-index.html

the index action does not allow you to configure how the document should look like. This needs to be with a transform inside of the index action like this

"index_payload" : {
  "transform" :  {
    "script" : ...
  },
  "index": { ... }
}

the script should return a map that resembles the structure of the wanted document.

The sample watches in the examples repository is using a fair share of actions transforms, if you need more examples.

rickdegreef · April 27, 2018, 11:40am

Hi Alexander,

Thank for helping out again! This actually did the trick!

Topic		Replies	Views
Index action - document construction Elasticsearch elastic-stack-alerting	8	3986	July 6, 2017
Kibana Alert and Action "Error: error validating action params" Kibana elastic-stack-alerting	12	2763	September 14, 2020
Transform single hit into multiple documents with Index action Elasticsearch elastic-stack-alerting	8	3261	September 20, 2018
How to insert evaluated some specific documents results into another elasticsearch index using watcher actions? Elasticsearch elastic-stack-alerting	2	1090	March 7, 2018
How to exploit rules Elastic Security	11	1164	May 9, 2023

Index action - create document

Related topics