Unable to access payload _source fields using Watcher foreach with rollup data

iorfix · February 26, 2020, 1:53pm

Hi,
I'm using Elastic 7.6.0.
I created a very simple trigger that queries on aggregated rolled up metricbeat data, and logs any documents retrieved using the foreach action.
However, I'm able to get the whole ctx.payload._source, as well as ctx.payload._id, but I cannot retrieve fields inside _source object, like ctx.payload._source.service.name.terms._count.
What am I missing?
Thank you

Watcher definition

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "mb_rollup"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp.date_histogram.timestamp": {
                      "gte": "now-2m"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "debug_action": {
      "foreach": "ctx.payload.hits.hits",
      "max_iterations": 500,
      "logging": {
        "level": "info",
        "text": "Found ##{{ctx.payload._id}}##, ##{{ctx.payload._source}}## at ##{{ctx.payload._source.service.name.terms._count}}##."
      }
    }
  }
}

Simulate watch output:

{
  "watch_id": "_inlined_",
  "node": "nvyiuZZYRT6kPDAVYBrRKg",
  "state": "executed",
  "user": "elastic",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2020-02-26T13:43:06.747Z"
    },
    "last_checked": "2020-02-26T13:43:06.748Z",
    "last_met_condition": "2020-02-26T13:43:06.748Z",
    "actions": {
      "debug_action": {
        "ack": {
          "timestamp": "2020-02-26T13:43:06.748Z",
          "state": "ackable"
        },
        "last_execution": {
          "timestamp": "2020-02-26T13:43:06.748Z",
          "successful": true
        },
        "last_successful_execution": {
          "timestamp": "2020-02-26T13:43:06.748Z",
          "successful": true
        }
      }
    },
    "execution_state": "executed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2020-02-26T13:43:06.748Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2020-02-26T13:43:06.748Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "mb_rollup"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp.date_histogram.timestamp": {
                      "gte": "now-2m"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "metadata": {
    "name": "FirstWatch",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2020-02-26T13:43:06.748Z",
    "execution_duration": 504,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 1,
          "failed": 0,
          "successful": 1,
          "skipped": 0
        },
        "hits": {
          "hits": [
            {
              "_index": "mb_rollup",
              "_type": "_doc",
              "_source": {
                "service.name.terms._count": 37,
                "system.process.fd.open.avg._count": 18,
                "@timestamp.date_histogram.time_zone": "UTC",
                "@timestamp.date_histogram.timestamp": 1582724520000,
                "system.process.fd.open.avg.value": 220,
                "service.name.terms.value": null,
                "_rollup.version": 2,
                "system.process.cpu.total.pct.min.value": 0,
                "system.process.cpu.total.pct.max.value": 0.008,
                "@timestamp.date_histogram.interval": "1m",
                "@timestamp.date_histogram._count": 37,
                "_rollup.id": "mb_rollup"
              },
              "_id": "mb_rollup$b4LExjJiaowbdcbGsY6vgw",
              "_score": 0
            },
            {
              "_index": "mb_rollup",
              "_type": "_doc",
              "_source": {
                "service.name.terms._count": 130,
                "system.process.fd.open.avg._count": 54,
                "@timestamp.date_histogram.time_zone": "UTC",
                "@timestamp.date_histogram.timestamp": 1582724520000,
                "system.process.fd.open.avg.value": 3308,
                "service.name.terms.value": "test1",
                "_rollup.version": 2,
                "system.process.cpu.total.pct.min.value": 0,
                "system.process.cpu.total.pct.max.value": 0.045,
                "@timestamp.date_histogram.interval": "1m",
                "@timestamp.date_histogram._count": 130,
                "_rollup.id": "mb_rollup"
              },
              "_id": "mb_rollup$RFijNaIVSniSMvioCfMEfg",
              "_score": 0
            }
          ],
          "total": 2,
          "max_score": 0
        },
        "took": 501,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "mb_rollup"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "@timestamp.date_histogram.timestamp": {
                        "gte": "now-2m"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": true,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 2
        }
      }
    },
    "actions": [
      {
        "id": "debug_action",
        "type": "logging",
        "status": "simulated",
        "number_of_actions_executed": 2,
        "foreach": [
          {
            "logging": {
              "logged_text": "Found ##mb_rollup$b4LExjJiaowbdcbGsY6vgw##, ##{service.name.terms._count=37, system.process.fd.open.avg._count=18.0, @timestamp.date_histogram.time_zone=UTC, @timestamp.date_histogram.timestamp=1582724520000, system.process.fd.open.avg.value=220.0, service.name.terms.value=null, _rollup.version=2, system.process.cpu.total.pct.min.value=0.0, system.process.cpu.total.pct.max.value=0.008, @timestamp.date_histogram.interval=1m, @timestamp.date_histogram._count=37, _rollup.id=mb_rollup}## at ####."
            }
          },
          {
            "logging": {
              "logged_text": "Found ##mb_rollup$RFijNaIVSniSMvioCfMEfg##, ##{service.name.terms._count=130, system.process.fd.open.avg._count=54.0, @timestamp.date_histogram.time_zone=UTC, @timestamp.date_histogram.timestamp=1582724520000, system.process.fd.open.avg.value=3308.0, service.name.terms.value=test1, _rollup.version=2, system.process.cpu.total.pct.min.value=0.0, system.process.cpu.total.pct.max.value=0.045, @timestamp.date_histogram.interval=1m, @timestamp.date_histogram._count=130, _rollup.id=mb_rollup}## at ####."
            }
          }
        ],
        "max_iterations": 500
      }
    ]
  },
  "messages": []
}

iorfix · February 27, 2020, 9:30am

I resolved the issue. Mustache is not able to access fields with a dot inside them. I added a transform action, where I changed the field name, and then logged it out.

  "transform": {
    "script": {
      "lang" : "painless",
      "inline": "ctx.payload.hits.hits.forEach(hit -> hit._source.service_name_terms_count = hit._source['service.name.terms._count']); return ctx.payload"
      }
  }

"text": "Found ##{{ctx.payload._id}}## at ##{{ctx.payload._source.service_name_terms_count}}##"

system · March 26, 2020, 9:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use aggregation fields in Watcher action body (with foreach loop)? Elasticsearch	2	912	September 7, 2022
Ctx.payload.hits.hits.0._source.field to watcher-history index Elasticsearch elastic-stack-alerting	15	6899	May 10, 2018
Watcher Use Source Fields Elasticsearch elastic-stack-alerting	2	1157	May 28, 2019
Watcher : Extract _source field in transform Elasticsearch elastic-stack-alerting	2	473	March 23, 2020
Using the payload data (fields) after aggregated to bucket, in Elastic Watcher Action email Elasticsearch elastic-stack-alerting	4	1174	April 26, 2022

Unable to access payload _source fields using Watcher foreach with rollup data

Related topics