Problem with mustache on watcher action

        "body": "{{#toJson}}payload{{/toJson}}"

this must be (in hook tornado2)

        "body": "{{#toJson}}ctx.payload{{/toJson}}"

the logging message you shared above still references {{payload.hits.totals}} instead of {{ctx.payload.hits.totals}}

Hi @spinscale

I change the watcher following your note but the result of the message is the same

    "msg": "Watcher Notification Encountered {{ctx.payload.hits.totals}} failed logon from user {{ctx.payload.hits.hits.0._source.winlog.event_data.TargetUserName}}.",

The watcher is here

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "winlogbeat-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-5m",
                      "to": "now"
                    }
                  }
                },
                {
                  "match": {
                    "winlog.event_id": "4625"
                  }
                }
              ]
            }
          },
          "aggs": {
            "users": {
              "terms": {
                "field": "winlog.event_data.TargetUserName.keyword",
                "size": 10
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 10
      }
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "level": "info",
        "text": "Watcher Notification Encountered {{ctx.payload.hits.total}} failed logon from user {{#ctx.payload.hits.hits.0}}{{_source.winlog.event_data.TargetUserName}}{{/ctx.payload.hits.hits.0}}."
      }
    },
    "hook-tornado": {
      "webhook": {
        "scheme": "http",
        "host": "localhost",
        "port": 8080,
        "method": "post",
        "path": "/event/webhook-elastic",
        "params": {
          "token": "123"
        },
        "headers": {},
        "body": "{{#toJson}}ctx.payload{{/toJson}}"
      }
    },
    "hook-tornado2": {
      "transform" : { 
      	"script" : "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered {{ctx.payload.hits.totals}} failed logon from user {{ctx.payload.hits.hits.0._source.winlog.event_data.TargetUserName}}.'; return payload;"
      },           
      "webhook": {
        "scheme": "http",
        "host": "localhost",
        "port": 8080,
        "method": "post",
        "path": "/event/failed-passwords",
        "params": {
          "token": "abc"
        },
        "headers": {},
        "body": "{{#toJson}}ctx.payload{{/toJson}}"
      }
    }
  }
}

And the output is here

https://jsonblob.com/16e29212-9102-11e9-959d-1337d0458def

Thank you
Franco

sorry, I misread your scripting. The issue here is that you cannot use mustache within painless.

You need to do something like this in a painless script to concatenate strings (or you are using mustache again to create strings and only painless to provide the proper data structures).

"script": "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered ' + ctx.payload.hits.total + ' failed logon from user ' + ctx.payload.hits.hits[0]._source.winlog.event_data.TargetUserName+ '.'; return payload;"

Do you give me an example that could do a concatenate of string in this watcher?

Thank you
Franco

if you keep using {{toJson}} in the body I think the above approach is the most suitable one.