I'm trying to get the raw json content of context.alerts
pushed to my webhook for further analysis.
Something like {{#toJson}}[{{context.alerts}}]{{/toJson}}
Received content is either empty or escaped \"
.
Please help.
I'm trying to get the raw json content of context.alerts
pushed to my webhook for further analysis.
Something like {{#toJson}}[{{context.alerts}}]{{/toJson}}
Received content is either empty or escaped \"
.
Please help.
Never mind. I'm just going to use a watcher.
PUT _watcher/watch/siem_notifications
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"indices": [".siem-signals-default-*"],
"body" : {
"query" : {
"range": {
"@timestamp": {
"gte": "now-6m"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"my_bot": {
"webhook": {
"url": "https://my-webhook",
"body": "{{#toJson}}ctx.payload{{/toJson}}"
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.