Hello,
i am new to EKB. I try to learn EKB 6.4.0 and i am at Watcher/Altering. It works fine with Logging Action.
Now i want to run Index Action. I want to write certain index entries to a new index.
This is my watch:
{
"trigger": {
"schedule": {
"interval": "45s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-auth-log-*"
],
"types": [
"doc"
],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"match": {
"ssh_failreason": "unknown_user"
}
},
"filter": {
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 2
}
}
},
"actions": {
"my-indexing-action": {
"index": {
"index": "test",
"doc_type": "doc"
}
}
}
}
When i take a look at Management-> Watcher -> mywatcher the state is OK. When i trigger the watcher, it's firing, but i can't get any entries in Kibana.
When I look at the details, I notice that Type = "unknown/invalid" and i don't understand why that's unknown.
I think normally it should say Type="index", because at my logging example it says Type="logging".
My execution Output:
{
"watch_id": "neuertest",
"node": "xKcHAHhGTFaa-eQBwQjpNw",
"state": "executed",
"status": {
"state": {
"active": true,
"timestamp": "2018-10-04T14:50:21.610Z"
},
"last_checked": "2018-10-04T14:51:07.029Z",
"last_met_condition": "2018-10-04T14:51:07.029Z",
"actions": {
"my-indexing-action": {
"ack": {
"timestamp": "2018-10-04T14:51:07.029Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2018-10-04T14:51:07.029Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2018-10-04T14:51:07.029Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "schedule",
"triggered_time": "2018-10-04T14:51:07.029Z",
"schedule": {
"scheduled_time": "2018-10-04T14:51:06.611Z"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-auth-log-*"
],
"types": [
"doc"
],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"match": {
"ssh_failreason": "unknown_user"
}
},
"filter": {
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 2
}
}
},
"metadata": {
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2018-10-04T14:51:07.029Z",
"execution_duration": 5,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 10,
"failed": 0,
"successful": 10,
"skipped": 0
},
"hits": {
"hits": [],
"total": 3,
"max_score": 0
},
"took": 3,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-auth-log-*"
],
"types": [
"doc"
],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"match": {
"ssh_failreason": "unknown_user"
}
},
"filter": {
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 3
}
}
},
"actions": [
{
"id": "my-indexing-action",
"type": "index",
"status": "success",
"index": {
"response": {
"created": true,
"result": "created",
"id": "OaOPP2YBdX53YvB6lxOa",
"version": 1,
"type": "doc",
"index": "test"
}
}
}
]
},
"messages": []
}
Best regards