I've got most of my watcher setup and running, but right now I'm trying to get the message from all hits to return in the slack notification, but I get a Warning Internal Server Error when saving it and I'm not sure where I've gone wrong.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [],
"types": [],
"body": {
"query": {
"bool": {
"must": {
"range": {
"Users": {
"gte": 2
}
}
},
"filter": {
"range": {
"TimeStamp": {
"from": "{{ctx.trigger.scheduled_time}}||-10m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 9,
"slack": {
"message": {
"from": "Non-Prod Alerts",
"to": [
"#alerts"
],
"text": "Non-prod Monitoring",
"attachments": [
{
"color": "#006000",
"title": "Users Found",
"text": "{{ctx.payload.hits.total}} Servers have more than 2 users. They are {{ctx.payload.message}} "
}
]
}
}
}
},
"transform": {
"script": {
"inline": "return [ 'message' : ctx.payload.hits.hits.collect { it._source.Message } ]",
"lang": "painless"
}
}
}
I've also tried taking out it._source.Message and saving it still has the same internal server error.