Query Result Value not in Script available with ctx.payload

Hi together,

i'm not sure whether i am correct in this forum or not :slight_smile:

I am really new to elastic & kibana stuff and cant find a solution to what i'm trying.

in the query section: i'am filtering the eventlog data for the event id and substatus.
The total count value filtered by the query is not accessible in the script below

   Post eventlog/_search
      "query": {
      "query": "event_id:4625 AND @timestamp:>now-24h AND (sub_status:/0..000005[e|E]/ OR  sub_status:/0..0000064/ OR sub_status:/0..000006[A|a]/ OR sub_status:/0..000006[D|d]/)"
      "script_fields": {
    "hourlyLogonAttemptSnapShot": {
      "script": {
        "lang": "painless",
        "source": """
          long lLogonAttempts = ctx.payload.hits.total;
          long lTotalAccounts = 40000; /* zweite indexabfrage einbauen*/
          long lOrangeThreshold = lTotalAccounts *5;
          long lYellowThreshold = lTotalAccounts *4;
          long lGreenThreshold = lTotalAccounts * 3;
          String sThreshold;
          if (lLogonAttempts <= lGreenThreshold) {
            sThreshold = "green";
          else if (lLogonAttempts > lGreenThreshold && lLogonAttempts <= lYellowThreshold) {
            sThreshold ="yellow";
          else if (lLogonAttempts > lYellowThreshold && lLogonAttempts <= lOrangeThreshold){
            sThreshold = "orange";
          else {
            sThreshold ="red";
          return sThreshold;

the error i am receiving is as follows:

"shard": 0,
"index": "eventlog-2018.08.05",
"node": "HMx4WRB_Sfqxt4A2R1O45g",
"reason": {
  "type": "script_exception",
  "reason": "runtime error",
  "script_stack": [
    "lLogonAttempts = ctx.payload.hits.total;\n          long ",
    "                    ^---- HERE"

the final target to achiev is to hourly execute the query by a watcher and gather the total count and the color according to the threholds and write them in a new index. but first i need to understand how to have the query result available in the script part. to put the ctx.payload.. in {} or " is not helping ;(

many thanks


ctx.payload is a construct that is only accessible during a watch execution. a script field has only access to the doc variable to access doc value fields. See https://www.elastic.co/guide/en/elasticsearch/reference/6.3/search-request-script-fields.html

Hey Alex,

thanks for the answer helped me alot :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.