Question about the index action in a watch

Elastic Stack Elasticsearch
1

Hi,

I want to monitor when the number of filebeat agents changes. I prefer that instead of a log action or a mail action that it is indexed to the nagios index. I have a script that reads out the nagios index and then magic operation stuff happens.

Now I want to add some fields when the index action is executed

fields:

"nagios_color" : "yellow"
"nagios_msg" : "The number of filebeat agents is {{ctx.payload.aggregations.type_count.value}}"

I think this is done by the transform block but I haven't gotten it working yet. Any one has an idea since the examples in the documentation are not very clear on how you do this.

do I just add

"transform" : {
      "script": "return [ nagios_color: yellow]"
    }

my watch:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          ".monitoring-beats-6-*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "aggs": {
            "type_count": {
              "cardinality": {
                "field": "beats_stats.beat.name"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.type_count.value": {
        "not_eq": 28
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "warn",
        "text": "The number of filebeat agents is {{ctx.payload.aggregations.type_count.value}}"
      }
    },
    "index_payload": {
      "index": {
        "index": "<nagios-{now/M}>",
        "doc_type": "_doc",
        "execution_time_field": "trigger_event.triggered_time"
      }
    }
  }
}
2

a transform always replaces the full payload. Which means, you need to include the original ctx.payload in the map that the transform returns, if you want to access it. With the above example, you are basically only indexing a document consisting of the nagios color field.

3

Hi,

if only this was the case. For some reason I only get trigger_event.triggered_time. Whatever i put in the transform section.
Here is the relevant output of the execute action of the watch.

"actions": [
        {
          "id": "index_payload",
          "type": "index",
          "status": "success",
          "transform": {
            "type": "script",
            "status": "success",
            "payload": {
              "nagios.color": "yellow",
              "nagios.msg": "msg",
              "trigger_event.triggered_time": "2019-03-26T14:42:24.766Z"
            }
          },
          "index": {
            "response": {
              "created": true,
              "result": "created",
              "id": "rQhzumkBZfOsZFAlyz-H",
              "version": 1,
              "type": "_doc",
              "index": "nagios-2019.03.01"
            }
          }
        }
      ]

result in nagios index

{
  "_index": "nagios-2019.03.01",
  "_type": "_doc",
  "_id": "rQhzumkBZfOsZFAlyz-H",
  "_version": 1,
  "_score": null,
  "fields": {
    "trigger_event.triggered_time": [
      "2019-03-26T14:42:24.766Z"
    ]
  },
  "sort": [
    1553611344766
  ]
}
5

Hi,

I am aware that this would result in document only consisting of nagios.color. Next step is to add more relevant fields.

But the problem is that nagios.color is not in the nagios index. Clearly i am doing something wrong and this problem has been troubling me for days. Can you confirm that when this watch executes it should result in a document that (only) contains nagios.color in the nagios index?

6

Can you show the output of

GET nagios-2019.03.01/_doc/rQhzumkBZfOsZFAlyz-H

thanks

7

Hi,

It seemed that a faulty template was causing the issue. After removing the template it works!

1 Like
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.