Log entry payload is not present in the trigger's ctx

akhettar · September 3, 2020, 12:17pm

Hello there,

I would like to include a log's field value in the alert body message. The alert is pushed to slack channel. From the log entry below, I wanted to include the payload.message and payload.customData.orders

The log entry

   {
    "metaData": {
        "timestamp": "2020-09-03T12:03:01.193Z",
        "appVersion": "0.0.1-SNAPSHOT",
        "appName": "order-events-monitor",
        "logger": "ForkJoinPool.commonPool-worker-3",
        "priority": "ERROR",
        "envName": "dev",
        "envHost": "localhost",
        "tracePoint": "END"
    },
    "payload": {
        "class": "com.handlers.PriceMismatchHandler:42",
        "message": "Price mismatch",
        "customData": {},
        "exception": ""
    },
    "context": {
        "correlationRootId": "29b8c9c6-5780-4cbb-a7ff-b6e02f34e171",
        "customData": {
            "orders": []
        },
        "correlationId": "fd889faf-1d70-421d-be51-5ec312b03dfa"
    }
}

the configuration for the trigger action is below

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Message: {{ctx.payload.message}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}

The above is not printing the value of the payload.mesage. I tried {{ctx.payload.hits}}. If I print out the whole {{ctx}} in the body I get the following:

    {monitor={_id=FofyAHQBm5zOLdVNL306, _version=105, name=Inventory File Monitor S307, enabled=true}, trigger={id=GYfzAHQBm5zOLdVNZX1e, name=Inventory File Missing S307, severity=4, actions=[{name=Missing Inventory File from S307}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[], total={value=2, relation=eq}, max_score=null}, took=8, timed_out=false}], periodStart=2020-08-21T07:44:10.087Z, periodEnd=2020-08-21T07:45:10.087Z, alert={acknowledged_time=null, id=7YT5D3QBnr12y3m8mqFF, version=-1, end_time=null, error_message=null, last_notification_time=1597995850206, severity=4, start_time=1597995850206, state=ACTIVE}, error=null}

Thanks in advance

Rom1 · September 3, 2020, 12:41pm

Hello Ayache,

Your result doesn't have any payload field:

 {monitor={_id=FofyAHQBm5zOLdVNL306, _version=105, name=Inventory File Monitor S307, enabled=true}, trigger={id=GYfzAHQBm5zOLdVNZX1e, name=Inventory File Missing S307, severity=4, actions=[{name=Missing Inventory File from S307}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[], total={value=2, relation=eq}, max_score=null}, took=8, timed_out=false}], periodStart=2020-08-21T07:44:10.087Z, periodEnd=2020-08-21T07:45:10.087Z, alert={acknowledged_time=null, id=7YT5D3QBnr12y3m8mqFF, version=-1, end_time=null, error_message=null, last_notification_time=1597995850206, severity=4, start_time=1597995850206, state=ACTIVE}, error=null}

Could you share your query ?

akhettar · September 3, 2020, 12:59pm

Here is the query. Thanks

{
    "size": 0,
    "query": {
        "bool": {
            "must": [
                {
                    "match_phrase": {
                        "payload.message": {
                            "query": "price mismatch",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                },
                {
                    "match_phrase": {
                        "metaData.tracePoint": {
                            "query": "END",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-1m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "strict_date_optional_time",
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

Rom1 · September 3, 2020, 1:12pm

Ayache,

Your parameter "size": 0 prevents the result from containing hits as explained here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/returning-only-agg-results.html

Try to remove it

akhettar · September 3, 2020, 3:54pm

Thank you very much, it worked. Now I am getting the payload - see below. How do I reference the payload elements in the trigger body? Like accessing customData={orders= for example?

{monitor={ id=0gbtD3QB1gCBqbz -LEr, _version=11, name=Price Mismatch, enabled=true}, trigger={id=24lAVHQB-7xxRqIXyUOl, name=price mismatch, severity=4, actions=[{name=Price Mismatch Alert}]}, results=[{_shards={total=35, failed=0, successful=35, skipped=0}, hits={hits=[{_index=cwl-cr-emea-dev-2020.09.03, _type=cwl-cr-emea-dev-2020.09.03, _source={metaData={appVersion=0.0.1-SNAPSHOT, appName=cr-order-events-monitor, envName=dev, logger=main, tracePoint=END, priority=ERROR, envHost=localhost, timestamp=2020-09-03T15:49:00.091Z}, @message={"metaData":{"timestamp":"2020-09-03T15:49:00.091Z","appVersion":"0.0.1-SNAPSHOT","appName":"cr-order-events-monitor","logger":"main","priority":"ERROR","envName":"dev","envHost":"localhost","tracePoint":"END"},"payload":{"class":"com.vfc.mkpl.zacr.handlers.PriceMismatchHandler:41","message":"Price mismatch","customData":{},"exception":""},"context":{"correlationRootId":"80765970-8417-4efb-8410-b3a4d456191b","customData":{"orders":["500000000000015","500000000000016","500000000000030","500000000000035"]},"correlationId":"68f63662-3d6d-49ce-a385-2c463b3905be"}}, @timestamp=2020-09-03T15:49:00.093Z, payload={exception=, customData={}, message=Price mismatch, class=com.vfc.mkpl.zacr.handlers.PriceMismatchHandler:41}, context={correlationRootId=80765970-8417-4efb-8410-b3a4d456191b, customData={orders=[500000000000015, 500000000000016, 500000000000030, 500000000000035]}, correlationId=68f63662-3d6d-49ce-a385-2c463b3905be}, @log_group=orderoevent-monitor, @owner=018795316058, @log_stream=orderoevent-monitor/e2d9569d-a6a0-41ab-81f9-c0423fdde2fc, @id=35662195206918146035224400048682985606312382432338247693}, _id=35662195206918146035224400048682985606312382432338247693, _score=36.14797}], total={value=1, relation=eq}, max_score=36.14797}, took=9, timed_out=false}], periodStart=2020-09-03T15:48:56.344Z, periodEnd=2020-09-03T15:49:56.344Z, alert=null, error=null}

system · October 1, 2020, 3:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to include log field value in the alert body message Kibana elastic-stack-alerting , kql-kibana-query-language	2	2220	September 21, 2020
How to include the ctx.payload.value in the email text for watcher alert? Kibana elastic-stack-alerting	24	4902	May 24, 2021
Including Field Value in Webhook Message Elasticsearch	1	991	October 17, 2019
How to return results with ctx.payload Kibana elastic-stack-alerting , painless	6	2972	December 2, 2020
Generate Alert for entries not present in the log for a given time window Kibana elastic-stack-alerting , kql-kibana-query-language	6	423	September 28, 2020

Log entry payload is not present in the trigger's ctx

Related topics