Index doesn't work, but why?

alerting

#1

Hello,
i am new to EKB. I try to learn EKB 6.4.0 and i am at Watcher/Altering. It works fine with Logging Action.
Now i want to run Index Action. I want to write certain index entries to a new index.

This is my watch:

{
  "trigger": {
    "schedule": {
      "interval": "45s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-auth-log-*"
        ],
        "types": [
              "doc"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": {
                "match": {
                  "ssh_failreason": "unknown_user"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "now-1m",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 2
      }
    }
  },
  "actions": {
    "my-indexing-action": {
      "index": {
        "index": "test",
        "doc_type": "doc"
      }
    }
  }
}

When i take a look at Management-> Watcher -> mywatcher the state is OK. When i trigger the watcher, it's firing, but i can't get any entries in Kibana.
When I look at the details, I notice that Type = "unknown/invalid" and i don't understand why that's unknown.
I think normally it should say Type="index", because at my logging example it says Type="logging".

My execution Output:

{
  "watch_id": "neuertest",
  "node": "xKcHAHhGTFaa-eQBwQjpNw",
  "state": "executed",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2018-10-04T14:50:21.610Z"
    },
    "last_checked": "2018-10-04T14:51:07.029Z",
    "last_met_condition": "2018-10-04T14:51:07.029Z",
    "actions": {
      "my-indexing-action": {
        "ack": {
          "timestamp": "2018-10-04T14:51:07.029Z",
          "state": "ackable"
        },
        "last_execution": {
          "timestamp": "2018-10-04T14:51:07.029Z",
          "successful": true
        },
        "last_successful_execution": {
          "timestamp": "2018-10-04T14:51:07.029Z",
          "successful": true
        }
      }
    },
    "execution_state": "executed",
    "version": -1
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2018-10-04T14:51:07.029Z",
    "schedule": {
      "scheduled_time": "2018-10-04T14:51:06.611Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-auth-log-*"
        ],
        "types": [
          "doc"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": {
                "match": {
                  "ssh_failreason": "unknown_user"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "now-1m",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 2
      }
    }
  },
  "metadata": {
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2018-10-04T14:51:07.029Z",
    "execution_duration": 5,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 10,
          "failed": 0,
          "successful": 10,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 3,
          "max_score": 0
        },
        "took": 3,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "logstash-auth-log-*"
          ],
          "types": [
            "doc"
          ],
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "must": {
                  "match": {
                    "ssh_failreason": "unknown_user"
                  }
                },
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "now-1m",
                      "to": "now"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": true,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 3
        }
      }
    },
    "actions": [
      {
        "id": "my-indexing-action",
        "type": "index",
        "status": "success",
        "index": {
          "response": {
            "created": true,
            "result": "created",
            "id": "OaOPP2YBdX53YvB6lxOa",
            "version": 1,
            "type": "doc",
            "index": "test"
          }
        }
      }
    ]
  },
  "messages": []
}

Best regards


(Alexander Reelsen) #2

This looks like a perfecty fine watch run

    "actions": [
      {
        "id": "my-indexing-action",
        "type": "index",
        "status": "success",
        "index": {
          "response": {
            "created": true,
            "result": "created",
            "id": "OaOPP2YBdX53YvB6lxOa",
            "version": 1,
            "type": "doc",
            "index": "test"
          }
        }
      }
    ]

this output shows that a document with the referred id has been created, as intended. You can check with a GET request that this document exists.

I am not too sure I understand your problem correctly.


#3

You are right. Yesterday i didn't see the entry but today it works fine and I get everything i expected. Maybe I just overlooked the entry i was looking for yesterday.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.