Log entry payload is not present in the trigger's ctx

akhettar · September 3, 2020, 12:17pm

Hello there,

I would like to include a log's field value in the alert body message. The alert is pushed to slack channel. From the log entry below, I wanted to include the payload.message and payload.customData.orders

The log entry

   {
    "metaData": {
        "timestamp": "2020-09-03T12:03:01.193Z",
        "appVersion": "0.0.1-SNAPSHOT",
        "appName": "order-events-monitor",
        "logger": "ForkJoinPool.commonPool-worker-3",
        "priority": "ERROR",
        "envName": "dev",
        "envHost": "localhost",
        "tracePoint": "END"
    },
    "payload": {
        "class": "com.handlers.PriceMismatchHandler:42",
        "message": "Price mismatch",
        "customData": {},
        "exception": ""
    },
    "context": {
        "correlationRootId": "29b8c9c6-5780-4cbb-a7ff-b6e02f34e171",
        "customData": {
            "orders": []
        },
        "correlationId": "fd889faf-1d70-421d-be51-5ec312b03dfa"
    }
}

the configuration for the trigger action is below

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Message: {{ctx.payload.message}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}

The above is not printing the value of the payload.mesage. I tried {{ctx.payload.hits}}. If I print out the whole {{ctx}} in the body I get the following:

    {monitor={_id=FofyAHQBm5zOLdVNL306, _version=105, name=Inventory File Monitor S307, enabled=true}, trigger={id=GYfzAHQBm5zOLdVNZX1e, name=Inventory File Missing S307, severity=4, actions=[{name=Missing Inventory File from S307}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[], total={value=2, relation=eq}, max_score=null}, took=8, timed_out=false}], periodStart=2020-08-21T07:44:10.087Z, periodEnd=2020-08-21T07:45:10.087Z, alert={acknowledged_time=null, id=7YT5D3QBnr12y3m8mqFF, version=-1, end_time=null, error_message=null, last_notification_time=1597995850206, severity=4, start_time=1597995850206, state=ACTIVE}, error=null}

Thanks in advance

Rom1 · September 3, 2020, 12:41pm

Hello Ayache,

Your result doesn't have any payload field:

 {monitor={_id=FofyAHQBm5zOLdVNL306, _version=105, name=Inventory File Monitor S307, enabled=true}, trigger={id=GYfzAHQBm5zOLdVNZX1e, name=Inventory File Missing S307, severity=4, actions=[{name=Missing Inventory File from S307}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[], total={value=2, relation=eq}, max_score=null}, took=8, timed_out=false}], periodStart=2020-08-21T07:44:10.087Z, periodEnd=2020-08-21T07:45:10.087Z, alert={acknowledged_time=null, id=7YT5D3QBnr12y3m8mqFF, version=-1, end_time=null, error_message=null, last_notification_time=1597995850206, severity=4, start_time=1597995850206, state=ACTIVE}, error=null}

Could you share your query ?

akhettar · September 3, 2020, 12:59pm

Here is the query. Thanks

{
    "size": 0,
    "query": {
        "bool": {
            "must": [
                {
                    "match_phrase": {
                        "payload.message": {
                            "query": "price mismatch",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                },
                {
                    "match_phrase": {
                        "metaData.tracePoint": {
                            "query": "END",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-1m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "strict_date_optional_time",
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

Rom1 · September 3, 2020, 1:12pm

Ayache,

Your parameter "size": 0 prevents the result from containing hits as explained here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/returning-only-agg-results.html

Try to remove it

akhettar · September 3, 2020, 3:54pm

Thank you very much, it worked. Now I am getting the payload - see below. How do I reference the payload elements in the trigger body? Like accessing customData={orders= for example?

{monitor={ id=0gbtD3QB1gCBqbz -LEr, _version=11, name=Price Mismatch, enabled=true}, trigger={id=24lAVHQB-7xxRqIXyUOl, name=price mismatch, severity=4, actions=[{name=Price Mismatch Alert}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[{_index=cwl-cr-emea-dev-2020.09.03, _type=cwl-cr-emea-dev-2020.09.03, _source={metaData={appVersion=0.0.1-SNAPSHOT, appName=cr-order-events-monitor, envName=dev, logger=main, tracePoint=END, priority=ERROR, envHost=localhost, timestamp=2020-09-03T15:49:00.091Z}, @message={"metaData":{"timestamp":"2020-09-03T15:49:00.091Z","appVersion":"0.0.1-SNAPSHOT","appName":"cr-order-events-monitor","logger":"main","priority":"ERROR","envName":"dev","envHost":"localhost","tracePoint":"END"},"payload":{"class":"com.vfc.mkpl.zacr.handlers.PriceMismatchHandler:41","message":"Price mismatch","customData":{},"exception":""},"context":{"correlationRootId":"80765970-8417-4efb-8410-b3a4d456191b","customData":{"orders":["500000000000015","500000000000016","500000000000030","500000000000035"]},"correlationId":"68f63662-3d6d-49ce-a385-2c463b3905be"}}, @timestamp=2020-09-03T15:49:00.093Z, payload={exception=, customData={}, message=Price mismatch, class=com.vfc.mkpl.zacr.handlers.PriceMismatchHandler:41}, context={correlationRootId=80765970-8417-4efb-8410-b3a4d456191b, customData={orders=[500000000000015, 500000000000016, 500000000000030, 500000000000035]}, correlationId=68f63662-3d6d-49ce-a385-2c463b3905be}, @log_group=orderoevent-monitor, @owner=018795316058, @log_stream=orderoevent-monitor/e2d9569d-a6a0-41ab-81f9-c0423fdde2fc, @id=35662195206918146035224400048682985606312382432338247693}, _id=35662195206918146035224400048682985606312382432338247693, _score=36.14797}], total={value=1, relation=eq}, max_score=36.14797}, took=9, timed_out=false}], periodStart=2020-09-03T15:48:56.344Z, periodEnd=2020-09-03T15:49:56.344Z, alert=null, error=null}

system · October 1, 2020, 3:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.