Transmitting Kibana data through watchers

Hi All,

We are trying to run the API call for "GET /_cat/indices" through a watcher , but we are not able to receive the data .

Could anyone please help us with the correct script for running the above GET command through the watcher?

Thanks and Regards,
Nalin Anand

Example: compare_shard_primary_and_replica · GitHub

Hi Rich,

The script that is mentioned in the GitHub link is regarding violators count in shards.
Is there anyway in which we could get the output of "GET /_cat/indices" in our mails directly through the watcher?

Regards,
Nalin

Of course, this was just a representative example of using watcher to hit an HTTP endpoint and format the results. If you want to change the endpoint, then just do that. If you don't want to format the results, you can remove the transform sections. The bare-bones example of this would look something like:

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1d"
      }
    },
    "input": {
      "http": {
        "request": {
          "host": "mycluster-name.es.us-central1.gcp.cloud.es.io",
          "port": 9243,
          "scheme": "https",
          "path": "/_cat/indices",
          "params": {
            "format": "json",
            "bytes": "b",
            "human": "true"
          },
          "headers": {},
          "auth": {
            "basic": {
              "username": "elastic",
              "password": "xxx"
            }
          }
        }
      }
    },
    "condition": {
      "script": "return true;"
    },
    "actions": {
      "displayResults": {
        "logging": {
          "text": "the output is: {{ctx.payload}}"
        }
      }
    }
  }
}

And the unformatted output would look something like:

"the output is: {_headers={content-type=[application/json], x-found-handling-cluster=[71bbfab0891a4b02acf6c5a5ff286fd9], x-cloud-request-id=[tPrexYvzRdigrVx5hg3gOw], x-elastic-product=[Elasticsearch], date=[Wed, 21 Sep 2022 13:59:42 GMT], x-found-handling-instance=[instance-0000000000]}, data=[{health=green, status=open, index=kibana_sample_data_logs, uuid=iJw6Xf-JQ5mu_vXPge3y2A, pri=1, rep=0, docs.count=14074, docs.deleted=0, store.size=8778892, pri.store.size=8778892}, {health=yellow, status=open, index=kibana_sample_data_logs_rollup, uuid=b3LG3Gy7Sdm07MyGn1uEbA, pri=1, rep=1, docs.count=1912, docs.deleted=0, store.size=659460, pri.store.size=659460}], _status_code=200}"

Hi Rich,

Thanks for the reply.
We were trying a similar code for the past few days, but getting some other error.
Now after using your code, we are getting another error:
could not parse [http] input for watch [ag4c694d-e6e5-4687-a2c7-a4002673329c]. failed to parse http request template

When we tried using schema: "http" , we are getting below output :

_value=Client sent an HTTP request to an HTTPS server.\n, _status_code=400

Could you please suggest that the host should be the Elasticsearch endpoint or Kibana endpoint?
And the username should be the Kibana user or Elasticsearch user?

The watcher that we are using currently is below:

{
"trigger": {
"schedule": {
"interval": "1d"
}
},
"input": {
"http": {
"request": {
"scheme": "https",
"host": "??????",
"port": 9244,
"method": "get",
"path": "/_cat/indices",
"params": {
"format": "json",
"human": "true",
"bytes": "b"
},
"headers": {},
"auth": {
"basic": {
"username": "Elastic",
"password": "::es_redacted::"
}
}
}
}
},
"condition": {
"script": {
"source": "return true;",
"lang": "painless"
}
},
"actions": {
"displayResults": {
"logging": {
"level": "info",
"text": "the output is: {{ctx.payload}}"
}
}
}
}

  1. You need to specify the elasticsearch endpoint
  2. The user to use should be an elasticsearch user with cluster management privileges (there really is no such thing as a pure "Kibana" user - all users are really elasticsearch users)
1 Like

Thank you so much for the response, Rich.

Currently, we are getting authentication issue with the elasticsearch endpoint and trying to sort out the User privilege issue.

Hi Rich,

We are able to get the output as an attachment in the below format:

ctx:
metadata:
name: "Watcher_Test"
xpack:
type: "json"
watch_id: "bf2c4567d-e6e5-4687-b2d7-##########"
payload:
index:
- health: "green"
status: "open"
index: ""
uuid: "
********"
pri: "1"
rep: "1"
docs.count: "487"
docs.deleted: "0"
store.size: "0"
pri.store.size: "0"

Is there any way that we could print only the index, store.size and pri.store.size in the body of the mail itself?

Watcher:
{
"trigger": {
"schedule": {
"interval": "2m"
}
},
"input": {
"http": {
"request": {
"scheme": "https",
"host": "<>",
"port": 9243,
"method": "get",
"path": "/_cat/indices",
"params": {
"format": "yaml",
"human": "true",
"bytes": "mb"
},
"headers": {},
"auth": {
"basic": {
"username": "elastic",
"password": "**"
}
}
}
}
},
"condition": {
"script": {
"source": "return true;",
"lang": "painless"
}
},
"actions": {
"displayResults": {
"logging": {
"level": "info",
"text": "the output is: {{ctx.payload.data}}"
}
},
"email_administrator": {
"email": {
"profile": "standard",
"attachments": {
"index.yml": {
"data": {
"format": "yaml"
}
}
},
"to": [
"Nalin.27*@gmail.com"
],
"subject": "Watcher Notification",
"body": {
"text": "{{ctx.payload.data}}"
}
}
}

}

Hi @richcollier ,

Could you please help on the above query?

Regards,
Nalin

Just change the actions section to include a transform to select only the things you want to print. Something like:

      "displayResults": {
        "transform": {
          "script": """
          def index_data = new ArrayList();
          for (def index : ctx.payload.data) {
            index_data.add("index=" + index['index'] + " :: pri.store.size=" + index['pri.store.size'] + " :: store.size=" + index['store.size']);
          }
          return index_data;
          """
        },
        "logging": {
          "text": "{{ctx.payload}}"
        }
      }
    }

Which would yield something similar to:

"{_value=[index=kibana_sample_data_logs :: pri.store.size=9054433 :: store.size=18046404, index=mydata-2022.01.01 :: pri.store.size=4253 :: store.size=8506]}"
1 Like

Thank you so much for the response, Rich.
We were able to produce the data in a tabular form.

Regards,
Nalin

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.