ParsingException[Unknown key for a START_OBJECT in [filter].]

varun_kumar2 · October 16, 2017, 10:57am

PUT _xpack/watcher/watch/Integrations.RepComp.Monitor.Errors/
{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-"
],
"types": [
"logevent"
],
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"fields.ApplicationSuite": "Integrations"
}
},
{
"match": {
"fields.ApplicationName": "RepComp"
}
},
{
"match": {
"fields.ApplicationType": "Monitor"
}
},
{
"match": {
"level": "Error"
}
}
]
}
},
"size": 100,
"sort": [
{
"@timestamp": "desc"
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-16m",
"to": "now"
}
}
}
}
}
}
},
"condition": {
"script": "ctx.vars.from = new Date(System.currentTimeMillis()-1660*1000);return ctx.payload.hits.total>0;"
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"attach_data": {
"format": "json"
},
"from": "noreply-watcher@abc.edu",
"to": [
"vkumar@abc.edu",
"ppabolu@abc.edu"
],
"subject": "RepComp Monitor Errors",
"body": {
"html": {
"inline": "Monitor-RepComp-Monitor-Errorsbody{background-color:#FFF;font-family:tahoma,arial,helvetica,sans-serif}h1{background-position:transparent;color:#3760a7;background:0 0;margin:0;padding:0;font-family:Tahoma;font-size:large;font-weight:700}h2{color:#03C;background:0 0;margin:10px 0 5px 0;padding:0;font-weight:700;font-size:12px}h3{color:#5e2208;background:0 0;margin:30px 0 0 0;padding:0}p{margin:2px 0 20px 0;padding:0;line-height:1.65em}td{font-weight:400;font-size:11px;padding:5px 5px 5px 5px}th{background-color:#ebf3fd;font-weight:700;font-size:11px;text-align:left;padding:5px 5px 5px 5px}table,td,th{border:1px solid #000;border-collapse:collapse}

Monitor-RepComp-Monitor-Errors

Time	Exception
{{_source.@timestamp}}	{{_source.fields.PsException}}

View the dashboard <a href="http://elc.dashboard.abc.com/app/kibana#/dashboard/Integrations-RepComp?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'{{ctx.vars.from}}',mode:absolute,to:'{{ctx.trigger.triggered_time}}'))">here

"
}
}
}
}
},
"_status": {
"state": {
"active": true,
"timestamp": "2017-09-10T09:11:11.201Z"
},
"actions": {
"send_email": {
"ack": {
"timestamp": "2017-06-14T15:23:08.960Z",
"state": "awaits_successful_execution"
}
}
},
"last_checked": "2017-09-10T01:21:09.832Z"
}
}

Output

"result": {
  "execution_time": "2017-10-16T10:55:07.826Z",
  "execution_duration": 0,
  "input": {
    "type": "search",
    "status": "failure",
    "reason": "ParsingException[Unknown key for a START_OBJECT in [filter].]",
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-*"
        ],
        "types": [
          "logevent"
        ],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "fields.ApplicationSuite": "Integrations"
                  }
                },
                {
                  "match": {
                    "fields.ApplicationName": "RepComp"
                  }
                },
                {
                  "match": {
                    "fields.ApplicationType": "Monitor"
                  }
                },
                {
                  "match": {
                    "level": "Error"
                  }
                }
              ]
            }
          },
          "size": 100,
          "sort": [
            {
              "@timestamp": "desc"
            }
          ],
          "filter": {
            "range": {
              "@timestamp": {
                "from": "now-16m",
                "to": "now"
              }
            }
          }
        }
      }
    }
  },
  "actions": []
},
"messages": [
  "failed to execute watch input"
]

}
}

spinscale · October 18, 2017, 10:34am

please dont create more than one thread per watch issue you got.

The filter part on the top level section of the query needs to be moved into the filter part of a boolquery, see https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-bool-query.html

--Alex

varun_kumar2 · October 18, 2017, 2:09pm

Thanks for the help

Is there an easy way to debug the watcher and see where the error is

spinscale · October 18, 2017, 2:15pm

that's tricky, as there is no indication what part of the query failed exactly: copy and paste the search query from the watch into a regular search operation, and then remove parts of the query one by one and see where it stops failing to pinpoint it down

--Alex

system · November 15, 2017, 2:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ParsingException[[match] unknown token [START_OBJECT] after [query]] Elasticsearch	4	11901	November 15, 2017
Search command Elasticsearch elastic-stack-alerting	2	452	March 27, 2018
Unknown key for a START_OBJECT in [filter] Elasticsearch	5	24037	November 27, 2017
Watcher error unexpected token [START_OBJECT]" Elasticsearch	1	1960	July 5, 2017
Error creating a watch unexpected token [START_OBJECT]" Elasticsearch elastic-stack-alerting	4	3753	July 6, 2017

ParsingException[Unknown key for a START_OBJECT in [filter].]

Monitor-RepComp-Monitor-Errors

Related topics