Hi,
I am working on a watcher that's looking for a specific event type and extracting certain fields from the source document. The source document does not have all fields that I am trying to query. When I try to execute a watcher, it throws a null pointer exception and doesn't populate the target index.
I have tried to check if the field is empty or the size is 0 and all of them are failing. Here is the sample watcher.
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"hourly": {
"minute": "59"
}
}
},
"input": {
"search": {
"request": {
"indices": "new-sizing*",
"body": {
"size": 10000,
"_source": [
"@timestamp",
"event_type",
"event.module",
"event.vendor",
"source.address",
"source.ip",
"source.host.name",
"source.as.as_org",
"source.as.asn",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_name",
"source.geo.country_code2",
"source.geo.region_name",
"source.geo.latitude",
"source.geo.longitude",
"destination.address",
"destination.ip",
"destination.host.name",
"destination.as.as_org",
"destination.as.asn",
"destination.geo.city_name",
"destination.geo.continent_name",
"destination.geo.country_name",
"destination.geo.country_code2",
"destination.geo.region_name",
"destination.geo.latitude",
"destination.geo.longitude",
"destination.geo.timezone",
"domain_description",
"ipdstport_description"
],
"query": {
"bool": {
"filter": [
{
"exists": {
"field": "ipdstport_description"
}
},
{
"range": {
"@timestamp": {
"gte": "now-30d"
}
}
}
]
}
}
}
}
}
},
"condition": {
"script": {
"source": """
if (ctx.payload.hits.total > 0) {
return true;
}
"""
}
},
"transform": {
"script": {
"source": """
def docs=[];
for(int j=0;j<ctx.payload.hits.total;j++) {
def destaddress;
if (ctx.payload.hits.hits[j]._source['destination.address'].size() > 0) {
destaddress = ctx.payload.hits.hits[j]._source.destination.address;
}
def document = [
'alerttime': ctx.payload.hits.hits[j]._source["@timestamp"],
'alerttype': ctx.payload.hits.hits[j]._source.event_type,
'name': ctx.payload.hits.hits[j]._source.event_type + ' detected',
'event.module': ctx.payload.hits.hits[j]._source.event.module,
'event.vendor': ctx.payload.hits.hits[j]._source.event.vendor,
'source.address': ctx.payload.hits.hits[j]._source.source.address,
'source.ip': ctx.payload.hits.hits[j]._source.source.ip,
'source.host.name': ctx.payload.hits.hits[j]._source.source.host.name,
'destination.address': destaddress
];
docs.add(document);
}
if (docs.length > 0) {
return ['_doc': docs];
}
"""
}
},
"actions": {
"EventActivity": {
"logging": {
"text": "{{ctx.payload}}"
}
},
"index_payload": {
"transform": {
"script": "return ctx.payload"
},
"index": {
"index": "eventalerts"
}
}
}
}
}
Any ideas on how to assign default or null values for missing fields from the watcher ?
Thanks
Murali