Loop through ctx.payload.hits.hits in transform

Steve_Stevens · January 15, 2018, 11:14am

Excuse the basic questions but I am new to the product and forum.
I am attempting to build a watcher that parses a some of the hits messages and updates an index, but I feel my syntax is wrong. Unfortunately I only get told "Watcher: An internal server error occurred".

Lets say my query returns ctx.payload.hits.hits

{
  "type":"search",
  "status":"success",
  "payload":{
    "_shards":{
      "total":10,
      "failed":0,
      "successful":10,
      "skipped":0
    },
    "hits":{
      "hits":[
        {
          "_index":"fluentd-2018.01.15",
          "_type":"fluentd",
          "_source":{
            "log":"authlog",
            "@timestamp":"2018-01-15T11:00:01+00:00",
            "message":"blahblah"
          },
          "_id":"XHd6-WABt5EbJmIskQQn"
        }
      ]
    }
  }
}

Using a script transform I can create my own key with data from hits
"transform": {
"script": {
"source": "ctx.payload.transform = []; def document = ['bob': ctx.payload.hits.hits[0]._source.message]; ctx.payload.transform.add(document) ; return ctx.payload.transform;",
"lang": "painless"
}
}

But If I try to introduce a loop I get the server error.
"transform": {
"script": {
"source": "ctx.payload.transform = []; def document = []; for (int j=0;j<ctx.payload.hits.hits;j++){ document = ['bob': ctx.payload.hits.hits[j]._source.message]; ctx.payload.transform.add(document) } ; return ctx.payload.transform;",
"lang": "painless"
}
}

What is the correct syntax for iterating around my hits payload and retrieving data?

Steve_Stevens · January 15, 2018, 12:36pm

I have discovered my issue. The syntax does not allow for ";" to appear after closing the loop.
ie
" ctx.payload.transform.add(document) } ; "
becomes:
" ctx.payload.transform.add(document) } "

saranyav · February 7, 2018, 3:37am

Hello Steve,

I have a problem looping through transform script.I am trying to return a field as NA in watcher alert email if that field is not available in _source document. I have a pre-formatted email template for which the fields that are not available with _source, I have to show that as NA. I am getting below error.

Watcher: An internal server error occurred

Is transform script is the right choice to do this? Once I transform this how can I access the returned value in the email alert?

"transform": {
"script": {
"source": "for(int j=0;j<ctx.payload.hits.hits;j++){if(ctx.payload.hits.hits[j]._source.containsKey("CASE_NO")) {return ctx.payload.hits.hits[j]._source.CASE_NO} else {return "NA"}}",
"lang": "painless"
}
}

Thanks!
Saranya

Steve_Stevens · February 7, 2018, 9:14am

You'll want to change your double-quotes to single surrounding your scripts string values

spinscale · February 7, 2018, 9:14am

please dont crosspost your issue at other discussions, that are only very partially similar, as you already opened your own discuss issue. Thank you.

system · March 7, 2018, 9:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to use ctx.payload.hits.hits.0._source in transform script Elasticsearch elastic-stack-alerting	3	2575	July 6, 2017
Watcher, Convert timestap field in loop Elasticsearch elastic-stack-alerting , painless	3	723	November 10, 2022
Loop through "source": "['message': ctx.payload.hits.hits.0._source ]", Elasticsearch painless	1	1105	October 26, 2021
Script transform gives an internal server error in watcher Elasticsearch elastic-stack-alerting	2	1135	December 17, 2017
Watcher Iteration questions Elasticsearch	2	956	April 18, 2018

Loop through ctx.payload.hits.hits in transform

Related topics