Storing Message in an Array for Slack Notification

I've got most of my watcher setup and running, but right now I'm trying to get the message from all hits to return in the slack notification, but I get a Warning Internal Server Error when saving it and I'm not sure where I've gone wrong.

{
      "trigger": {
        "schedule": {
          "interval": "5m"
        }
      },
      "input": {
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [],
            "types": [],
            "body": {
              "query": {
                "bool": {
                  "must": {
                    "range": {
                      "Users": {
                        "gte": 2
                      }
                    }
                  },
                  "filter": {
                    "range": {
                      "TimeStamp": {
                        "from": "{{ctx.trigger.scheduled_time}}||-10m",
                        "to": "{{ctx.trigger.triggered_time}}"
                      }
                    }
                  }
                }
              }
            }
          }
        }
      },
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gt": 0
          }
        }
      },
      "actions": {
        "notify-slack": {
          "throttle_period_in_millis": 9,
          "slack": {
            "message": {
              "from": "Non-Prod Alerts",
              "to": [
                "#alerts"
              ],
              "text": "Non-prod Monitoring",
              "attachments": [
                {
                  "color": "#006000",
                  "title": "Users Found",
                  "text": "{{ctx.payload.hits.total}} Servers have more than 2 users. They are {{ctx.payload.message}} "
                }
              ]
            }
          }
        }
      },
      "transform": {
        "script": {
          "inline": "return [ 'message' : ctx.payload.hits.hits.collect { it._source.Message } ]",
          "lang": "painless"
        }
      }
    }

I've also tried taking out it._source.Message and saving it still has the same internal server error.

Do you mind pasting the warning (including full possible stack trace) plus anything like that in the log files as well, so everyone can take a look?

Also the Elasticsearch version would be helpful.

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.