Pagerduty action not working using watcher

Sumit_Kumar1 · October 9, 2019, 10:12am

Sumit_Kumar1 · October 9, 2019, 10:13am

My watch -

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"xg_elastalert_status_write_error"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"match": {
"_type": "elastalert_error"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-100h"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"sumitkumar.singh@in.imshealth.com"
],
"subject": "Elastalert Failure {{ctx.payload.hits.hits.0._source.@timestamp}}",
"body": {
"text": "Failure Message : {{ctx.payload.hits.hits.0._source.message}}\n Message: {{ctx.payload.hits.hits.0._source.message}}\n"
}
}
},
"notify-pagerduty" : {
"throttle_period" : "5m",
"pagerduty" : {
"incident_key": "a6bfd96dbf0b4e8393697c11b0954a",
"description" : "Main system down, please check!"
}
}
}
}

spinscale · October 9, 2019, 1:11pm

please take your time and properly format your message. This forum supports markdown, so JSON should be put into code snippets, as this will make everything much more readable.

Can you share the output of the execute watch API or of the watch history from a run of that watch? So we can see, what happened with the pagerduty action.

Sumit_Kumar1 · October 10, 2019, 9:44am

   {
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"xg_elastalert_status_write_error"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"match": {
"_type": "elastalert_error"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-100h"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"sumitkumar.singh@in.imshealth.com"
],
"subject": "Elastalert Failure {{ctx.payload.hits.hits.0._source.@timestamp}}",
"body": {
"text": "Failure Message : {{ctx.payload.hits.hits.0._source.message}}\n Message: {{ctx.payload.hits.hits.0._source.message}}\n"
}
}
},
"notify-pagerduty" : {
"throttle_period" : "5m",
"pagerduty" : {
"incident_key": "a6bfd96dbf0b4e8393697c11b0954a",
"description" : "Main system down, please check!"
}
}
}
}

Sumit_Kumar1 · October 10, 2019, 10:25am

Hi Alexander Reelsen

I wanted to know about the configurations for pagerduty action using xpack watcher . I checked and found that it requires account that stores service_api_key in elasticsearch.yml . So, can't we directly use service_api_key in watcher config ? If you have any sample for pager duty action xpack watcher please do share .

spinscale · October 11, 2019, 12:39pm

the service_api_key setting should be stored in a keystore. See https://www.elastic.co/guide/en/elasticsearch/reference/7.4/actions-pagerduty.html

system · November 8, 2019, 12:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.