Pull fields in the kibana watcher

Elastic Stack Kibana
1

Hi all, I have created a watcher. I am new to this concept so finding it difficult to achieve. The watcher is created successfully but, i am trying to get the fields that i have in my log. With the help of google search i am able to get the message fields but that also is partial. I also need other fields to be sent as a part of the email and m-teams notification. Can someone please help me out.
Here is the watcher i created.

    {
      "trigger": {
        "schedule": {
          "interval": "5m"
        }
      },
      "input": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "analyticsetl*"
            ],
            "rest_total_hits_as_int": true,
            "body": {
              "size": 10,
              "query": {
                "bool": {
                  "must": [
                    {
                      "match": {
                        "message": "exception"
                      }
                    }
                  ],
                  "filter": {
                    "range": {
                      "@timestamp": {
                        "from": "{{ctx.trigger.scheduled_time}}||-5m",
                        "to": "{{ctx.trigger.triggered_time}}"
                      }
                    }
                  }
                }
              }
            }
          }
        }
      },
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gte": 1
          }
        }
      },
      "actions": {
        "send_email": {
          "throttle_period_in_millis": 300000,
          "email": {
            "profile": "standard",
            "attachments": {
              "attached_data": {
                "data": {
                  "format": "json"
                }
              }
            },
            "priority": "high",
            "to": [
              "abc@abc.com"
            ],
            "subject": "DEV Hyperion Alert: {{ctx.metadata.name}}",
            "body": {
              "html": "Message: {{ctx.payload.hits.hits.0._source.message}}"
            }
          }
        },
        "analytics_teams_channel": {
          "throttle_period_in_millis": 300000,
          "transform": {
            "script": {
              "source": "return ['title' : 'DEV Hyperion Alert: ' + ctx.metadata.name, 'themeColor' : 'F00', 'text' : 'Partner: ' + ctx.payload.hits.hits.0._source.partner + ' Dataset: ' + ctx.payload.hits.hits.0._source.dataset + '. ' + ctx.payload.hits.total + ' errors logged in last 5 minutes', 'potentialAction': [['@type': 'OpenUri', 'name': 'Dashboard', 'targets': [['os': 'default', 'uri': 'https://dev-hyperion.com']]]]]",
              "lang": "painless"
            }
          },
          "webhook": {
            "scheme": "https",
            "host": "outlook.office.com",
            "port": 443,
            "method": "post",
            "path": "webhookb2/895b60ce-fc68-4298-9a6112@8b0f8862-f841-496f-8a84-eff218b6ee27/IncomingWebhook/1e1c408afd18f6db8/-ce87-4e1d-bf19-19e7af3b3fd6",
            "params": {},
            "headers": {
              "Content-Type": "application/json"
            },
            "body": "{{#toJson}}ctx.payload{{/toJson}}"
          }
        }
      }
    }
2

What other fields would you like to send?
You can use the same format as here in the html body:
{{ctx.payload.hits.hits.0._source.message}}"

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.