Pulling relevant info out of logs in watcher alerts


Is there a way to pull information out of logs similar to {{ctx.payload.hits.total}}?

Say I am building a report on account lockouts with the goal to send an email if an account gets locked out.

"message": "A user account was locked out.

Subject:     Security ID:     S-1-5-18
     Account Name:     AD1$
     Account Domain:    Some domain name
     Logon ID:     0x3E7

Account That Was Locked Out:
     Security ID:     S-1-5-21-2411883017-1342772572-112776168-1167
     Account Name:    ***THIS USER IS THE FIELD I WANT***

Additional Information:
     Caller Computer Name:    "No-Malware-Here",

"log_name": "Security",
"event_id": 4740,
"@version": "1",
"source_name": "Microsoft-Windows-Security-Auditing",
"record_number": "3973995",
"thread_id": 4732,
"computer_name": "No-Malware-Here"

I want to be able to automate putting a locked user's username in the body of an email action.
Is is possible to be able to use a condition or variable (like {{ctx.payload.hits.total}}) to grab a field such as "event_id" or Account Name:? I can't seem to find docs on it, but I'm not quite sure what to look for :stuck_out_tongue:


{{ctx.payload.hits.hits.0._source}} is the map that should contain the source of the first returned document.

Cool! That worked for me and returns the whole document.

Is there a way I can pull out specific parts of that document to make it more readable in an email?

Therefore {{ctx.payload.hits.hits.0._source.specific.part}} should give you access to foo in
{"specific": {"part": "foo"}}

1 Like

OH! I missed that. Thanks for the help! :grin:

So to pull out what I wanted, I used:


Thanks again @Igor_Motov!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.