Problem creating Watch - unable to parse [search] input

kodkod · August 11, 2016, 11:07am

Ahoy hoy everyone,
I am unable to create a Watch both using Sense and the REST API as well as using elasticsearch-watcher-py - somehow I can't seem to get the search request right.
I've also posted a question on stackoverflow regarding the issue.
I'm using the following code in elasticsearch-watcher-py.

est.watcher.put_watch(
    id='a1b_error',
    body={
        # run the watch every night at midnight
        'trigger': { 'schedule': { 'daily': { 'at': 'midnight' }}},
        'condition': { 'script': { 'inline': 'ctx.payload.hits.total > 0' } },
        'input': {
            'search': {
                'requests': {
                    'indices': ['logstash-*'],
                    'body': {
                        'query': {
                            'bool': {
                                'must': [
                                    { 'match': { 'Projekt': 'ourproject' }},
                                    { 'match': { 'Modus': 'production' }},
                                    { 'match': { 'facility': 'somebackend.log' }},
                                    { 'wildcard': { 'message': 'SOMEERROR*' }},
                                    { 'range': { '@timestamp' : { 'gte': 'now-30d', 'lt': 'now' }}}
                                ]
                            }
                        }
                    }
                }
            }
        },
        'actions': {
            'log' : {
                'logging' : {
                    'test': 'Watch triggered!'
                }
            }
        }
    }
)

If I use the same search-query in a search using elasticsearch-py it returns results just fine, but when trying to create a watch, I get a status 400 and a parse_exception telling me "could not parse [search] input for watch [testwatch]. unexpected token [START_OBJECT]"

Can somebody point out what I'm doing wrong here?
Thanks in advance, Simon

skearns · August 11, 2016, 12:09pm

Hi Simon,

It looks like there may just be a typo - The input search type is looking for request rather than requests.

You can see an example here:

https://www.elastic.co/guide/en/watcher/current/watching-marvel-data.html

Let me know if that does the trick!

Thanks,
Steve

kodkod · August 11, 2016, 12:36pm

Hallelujah. You won't believe how often I've compared the example with my code, apparently always missing that stupid typo. Well, I don't know whether to feel stupid for missing it or glad you found it. In any case: Thank you!

Topic		Replies	Views
Watcher Parse Exception Unknown Input Type Condition Elasticsearch elastic-stack-alerting	2	1406	October 25, 2018
Error creating a watch unexpected token [START_OBJECT]" Elasticsearch elastic-stack-alerting	4	3753	July 6, 2017
Unknown input type [condition] Elasticsearch elastic-stack-alerting	4	1776	July 6, 2017
Watcher does not support search type scan anymore? Elasticsearch elastic-stack-alerting	5	1129	July 6, 2017
Search command Elasticsearch elastic-stack-alerting	2	452	March 27, 2018

Problem creating Watch - unable to parse [search] input

Related topics