Use Painless to only return a subset of the Watch payload

bobes · October 28, 2019, 9:18pm

Apologies if this has been asked before, but i'm really stumped on this. What i'm trying to do is populate an email action in Watcher with a list of all results where an aggregation returns a doc_count > 5. I know the problem is within the action transform but I can't figure out the syntax I am looking for. Removed some info from the query and the actions for privacy reasons.

{
  "trigger": {
    "schedule": {
      "interval": "15m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-15m",
                      "to": "now"
                    }
                  }
                }
              ],
              "filter": [
                {
                  "bool": {
                    "filter": [
                      {
                        "bool": {
                          "should": [
                            {
                              "match_phrase": {
                                "monitor.status": "down"
                              }
                            }
                          ]
                        }
                      }
                    ]
                  }
                }
              ]
            }
          },
          "aggs": {
            "endpoints_down": {
              "terms": {
                "field": "agent.hostname",
                "size": 50
              },
              "aggs": {
                "endpoint": {
                  "terms": {
                    "field": "url.full",
                    "size": 50
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.aggregations.endpoints_down.buckets.size() > 0",
      "lang": "painless"
    }
  },
  "actions": {
    "send_email": {
      "transform": {
        "script": {
          "source": "return ctx.payload.aggregations.endpoints_down.buckets.stream().map(e -> e.key).collect(Collectors.toList());", 
          "lang": "painless"
        }
      }
    }
  }
}

spinscale · October 31, 2019, 12:29pm

The terms aggregation supports a min_doc_count field, so there would not be any need for you to transform your data.

hope this helps!

bobes · October 31, 2019, 3:24pm

thank you! I'll give that a shot. I did manage to get it working with a transform for the time being.

"transform": {
   "script": {
   "source": "return ctx.payload.aggregations.endpoint.buckets.stream().filter(endpt -> endpt.doc_count >= 5).map(e -> e.key).collect(Collectors.toList());",
   "lang": "painless"
}

system · November 28, 2019, 3:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher Email output Elasticsearch painless	2	322	December 13, 2022
Watcher : Action Body's Text Elasticsearch elastic-stack-alerting , painless	3	740	February 2, 2022
Painless Script for Index Action Elasticsearch elastic-stack-alerting	2	14523	June 28, 2017
Accessing fields in watcher with transform actions Elasticsearch	1	480	May 28, 2020
Send all the aggregations as text with Watcher Elasticsearch elastic-stack-alerting	4	6260	February 6, 2017

Use Painless to only return a subset of the Watch payload

Related topics