Unable to receive source fields over email from Watcher alerting

Elastic Stack Kibana
1

Hi All,

I have been trying for nearly 4 hours already to get an email alert with data table using Watcher, despite receiving the email it fails to send the data using the _source fields specified. My Watcher alert is as below:

    {
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m"
                    }
                  }
                }
              ],
              "must_not": [
                {
                  "match": {
                    "response": 200
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "xxxxxx@xxxxx.com"
        ],
        "subject": "TEST Watcher Notification",
        "body": {
          "html": "There is a total of {{ctx.payload.hits.total}} errors so far in the last 5 minutes.<br><br><strong>Snapshot of errors:</strong><br><br><table><tr><th>Timestamp</th> <th>Client_IP</th> <th>Response_Code</th></tr>{{#ctx.payload.hits.hits}}<tr><td>{{_source.timestamp}}</td> <td>{{_source.clientip}}</td><td>{{_source.response}}</td>{{/ctx.payload.hits.hits}}</table><br><br>"
        }
      }
    }
  }
}

When the email is triggered, I get the below email but with no data.

Capture
Capture440×539 9 KB

A sample document is as below:

   {
  "host" : "elastic",
  "message" : "92.115.179.247 - - [20/May/2015:21:05:35 +0000] \"GET /favicon.ico HTTP/1.1\" 304 3638 \"-\" \"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0\"",
  "auth" : "-",
  "ident" : "-",
  "httpversion" : "1.1",
  "verb" : "GET",
  "path" : "/var/log/test.log",
  "clientip" : "92.115.179.247",
  "@version" : "1",
  "request" : "/favicon.ico",
  "response" : "304",
  "@timestamp" : "2021-04-12T15:51:32.357Z",
  "bytes" : "3638",
  "timestamp" : "20/May/2015:21:05:35 +0000"
}

I am not sure what I am missing here and even after such a long stretch I am unable to make it work :worried:

Kindly help!

Thanks,
Arun

2

@arunhk3 I'm gonna try to mock this up on my local. I'll let you know what I learn soon.

3

@arunhk3 hey there, in what version of kibana is this problem occurring for you?

4

@arunhk3 Actually I was looking at the data requested vs the email received and it looks like you did at least receive There is a total of {{ctx.payload.hits.total}} errors so far in the last 5 minutes and then it is "broken" after the start of an html tag. I wonder if html is allowed in that stanza? (puts on thinking hat)

@arunhk3 can you try sending an email with that same json, but dropping all the html? Actually, since you and I can see some of the data came through, perhaps we only add that and the parts that have not. Such as: {{_source.timestamp}} && {{_source.clientip}} && {{_source.response}}

5

It does not work, nothing is printed by adding those variables.

6

This actually is working in another instance in my workplace but not in my VM box when I tried it. Also as you can see from my screenshot it says:

"There is a total of 2 errors"

I will try your suggestion and get back to you. Thanks a ton for your input!

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.