Variable to store list of recipient addresses for Elastic Watcher

Souvik_Das · June 1, 2022, 10:21am

Hi Team,

In our production setup, we have multiple watcher alerts (around 100), having different sets of recipient email addresses. Now if there is any requirement from the client to update the list, we need to edit 100 watcher scripts which is not a good solution.

Is there a way like an environment variable in watcher scripting? So that if we need to change/update anything in the list, we just need to update that variable and all the watcher scripts will then fetch the updated list from there. No need to edit 100 scripts.

Please guide!

Regards,
Souvik

richcollier · June 1, 2022, 11:38pm

Perhaps...you could make an Elasticsearch index of the email addresses, driven by a key of some kind and then in your Watch you could load that index as a subsearch within a chained input. An example of a chain input and a lookup (albeit for a different use-case) can be seen here: example watch with a lookup table of thresholds per term · GitHub

Then, you can merely modify the email addresses in the lookup index as necessary.

richcollier · June 1, 2022, 11:41pm

Or I guess more simply you can define/edit Watches via the API and use some variables in some scripting language that is making the API calls

Souvik_Das · June 3, 2022, 7:02am

Hi @richcollier , thanks for the suggestions, let me work on this. will share the outcome.

Souvik_Das · June 14, 2022, 11:34am

Thank you so much @richcollier, Your suggestion worked!!
Created an index consisting of recipient lists and then used that in the chained input of the watches.
Below are the steps of my success.

		  "first": {
			"search": {
			  "request": {
				"search_type": "query_then_fetch",
				"indices": [
				  "recipients"
				],
				"rest_total_hits_as_int": true,
				"body": {
				  "size": 0,
				  "query": {
					"bool": {
					  "minimum_should_match": 1,
					  "should": [
						{
						  "match_phrase": {
							"org": "abc"
						  }
						}
					  ]
					}
				  },
				  "aggs": {
					"emails": {
					  "terms": {
						"field": "email.keyword",
						"size": 1000
					  }
					}
				  }
				}
			  }
			}
		  }

And used {{ctx.payload.first.aggregations.emails.buckets.0.key}} instead of hard coded email ids and it worked!

system · July 12, 2022, 11:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.