Unable to give condition to watcher for elasticsearch (groovy disabled)?

Elastic Stack Elasticsearch
1

I installed watcher and giving the condition. While giving the condition its giving me error that...

{"error":"WatcherException[failed to put watch [log_error_watch]]; nested: ScriptConditionValidationException[failed to compile script [return ctx.payload.hits.total > 5] with lang [groovy] of type [INLINE]]; nested: ScriptException[dynamic scripting for [groovy] disabled]; ","status":500}

Its giving me error that it is disabled. i added a line in elasticsearch.yml to enable dynamic scripting. Now im getting another error.

{"error":"WatcherException[failed to put watch [log_error_watch]]; nested: StrictDynamicMappingException[mapping set to strict, dynamic introduction of [_status] within [watch] is not allowed]; ","status":500}

My condition to the watcher is as follows.

 curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
      "metadata" : { 
        "color" : "red"
      },
      "trigger" : { 
        "schedule" : {
          "interval" : "10s"
        }
      },
      "input" : { 
        "search" : {
          "request" : {
            "search_type" : "count",
            "indices" : "logs",
            "body" : {
              "query" : { "match" : { "status" : "error" } }
            }
          }
        }
      },
      "condition" : { 
        "script" : "return ctx.payload.hits.total > 5"
      },
      "transform" : { 
        "search" : {
            "request" : {
              "indices" : "logs",
              "body" : {
                "query" : { "match" : { "status" : "error" } }
              }
            }
        }
      },
      "actions" : { 
        "my_webhook" : {
          "webhook" : {
            "method" : "GET",
            "host" : "mylisteninghost",
            "port" : 9200,
            "path" : "/{{watch_id}}",
            "body" : "Encountered {{ctx.payload.hits.total}} errors"
          }
        },
        "email_administrator" : {
          "email" : {
            "to" : "akhilesh.anb@gmail.com",
            "subject" : "Encountered {{ctx.payload.hits.total}} errors",
            "body" : "Too many error in the system, see attached data",
            "attach_data" : true,
            "priority" : "high"
          }
        }
      }
    }'
2

Hi,

Did you install any of the previously release beta/rc versions? If so, you will need to follow the upgrade instructions as described here.

The reason for this is that we introduced as small change in the mappings for the stored watches in 1.0 GA.

3

I deleted everything history of watcher. I installed watcher again and i have given condition.. but im getting error like this..

{"error":"WatcherException[failed to put watch [error_status]]; nested: StrictDynamicMappingException[mapping set to strict, dynamic introduction of [_status] within [watch] is not allowed]; ","status":500}

Its saying mapping set to strict. I enabled dynamic scripting in elasticsearch.yml..
Please help me.. and another thing i'm unable to delete .watches index.

4

Hi,

I doesn't sound like you followed the instructions I referred to in my previous comment... here's the link again:

https://www.elastic.co/guide/en/watcher/current/release-notes.html#upgrade-instructions

5

I'm following those steps.. In 4th step im unable to delete .watches index. It is reflecting an error.

{"error":"This endpoint is not supported for DELETE on .watches index.","status":400}
6

Hi,

After you uninstalled Watcher, did you restart Elasticsearch? Please verify that you uninstalled Watcher on all nodes and restarted each of them.

If you are running this in development, on your local workstation/laptop, be aware that you may have multiple ES instances running, so ensure they have all stopped before trying to delete the .watches index.

Note that we will be updating the upgrade instructions to make this more clear in the future.

7

The instructions in the Release Notes have been updated so others don't get tripped up by this. Thanks for your feedback! https://www.elastic.co/guide/en/watcher/current/release-notes.html

8

After restarting elasticsearch, .watches index is deleted. Thanq for the help. But, im not getting the mail eventhough i given the condition.
My condition is:

curl -XPUT 'http://localhost:9200/_watcher/watch/error_status' -d '{
    "trigger": {
        "schedule" : { "interval" : "5s" }
    },
    "input" : {
        "search" : {
            "request" : {
                "indices" : [ "logs-*" ],
                "body" : {
                    "query" : {
                        "filtered" : {
                            "query" : { "match" : { "status" : "Error" }},
                            "filter" : { "range" : { "_timestamp" : { "from" : "now-5s" }}}
                        }
                    }
                }
            }
        }
    },
    "condition" : {
        "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
    },
    "actions" : {
        "email_admin" : {
            "email" : {
                "to" : "xxx@gmail.com",
                "subject" : "Error Events",
                "priority" : "high",
                "body" : "Found {{ctx.payload.hits.total}} erroneous events"
            }
        }
    }
}'
9

I'm glad that restarting ES solved the issue - the docs are now updated to make this more clear.

Every time the watch triggers - every 5s in your case - Watcher will record a watch history entry for the watch. The watch history entry contains all the metadata from the watch execution. Can you retrieve the most recent watch history entry for this watch, and share it (santized) here?

10

Yes .i have given condition and everything. Im giving errors also. But im not getting any mail regarding errors.

11

You configure the accounts Watcher can use to send email in your elasticsearch.yml configuration file. Please check if the email settings are correct (refer the link below) and as advised in previous post, can you also retrieve the most recent watch history entry for this watch, and share it (santized) here?

For gmail settings:
Ref: https://www.elastic.co/guide/en/watcher/current/email-services.html#gmail