Watcher : Action Body's Text

appleyin1 · December 31, 2021, 9:23am

Hi there:
I'm stuck at the Watch Action body text section, I have a payload below. Is that possible to only retrieve which service and host's doc_count < 5 ? in order to determine what are the services are unavailable with their hosts.

I might need a loop but don't think "body" allows painless script? Pls advise, thank you so much.

Expected email body output eg:

The following services with their respective host are unavailable,
serviceA-health-check-status, host2
serviceB-health-check-status, host2
serviceC-health-check-status, host2

"payload": {
        "ServiceUnavailable": [
          {
            "serviceId": "serviceA-health-check-status",
            "serviceId-details": [
              {
                "doc_count": 5,
                "key": "host1"
              },
              {
                "doc_count": 3,
                "key": "host2"
              }
            ]
          },
          {
            "serviceId": "serviceB-health-check-status",
            "serviceId-details": [
              {
                "doc_count": 5,
                "key": "host1"
              },
              {
                "doc_count": 3,
                "key": "host2"
              }
            ]
          },
          {
            "serviceId": "serviceC-health-check-status",
            "serviceId-details": [
              {
                "doc_count": 5,
                "key": "host1"
              },
              {
                "doc_count": 3,
                "key": "host2"
              }
            ]
          }
        ]
      }
    }

spinscale · January 5, 2022, 3:42pm

Two possibilities:

First, you can use list iterations in the mustache language, but I find it a little clunky. See Watching event data | Elasticsearch Guide [7.16] | Elastic
You can use a transform to change your payload to use it more easily in your actions. See Payload transforms | Elasticsearch Guide [7.16] | Elastic

appleyin1 · January 5, 2022, 9:47pm

Happy New Year, Alex. Thanks so much for your replied. The payload that I have put up was already being transformed. I know something need to be fixed in "Transform" but I don't know how after working on it for quite some time.

I'm sending you the Watcher JSON file, pls help me if you can point out what needs to be fixed in order to have the desired output. Thanks again and appreciate your advise, Alex

PUT _watcher/watch/ServiceUnavailable_watcher
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "term": {
                    "tags": "cn3a"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "applService": {
              "terms": {
                "field": "applService.id",
                "size": 50
              },
              "aggs": {
                "servicesHost": {
                  "terms": {
                    "field": "servicesHost.hostname",
                    "size": 50
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": """
    ctx.payload.aggregations.applService.buckets.stream()
    .filter(service -> service.servicesHost.buckets.stream()
      .anyMatch(service -> service.doc_count < 5))
    .count() > 0
  """
  },
  "transform": {
    "script": """
    return [
      "ServiceUnavailable": ctx.payload.aggregations.applService.buckets.stream()
        .filter(service -> service.servicesHost.buckets.stream()
          .anyMatch(service -> { 
            return service.doc_count < 5
          }))
        .map(t -> {
          return ['serviceId': t.key, 'service-details': t.servicesHost.buckets]
        })
      .collect(Collectors.toList())
    ]
  """
  },
  "actions": {
    "Email_Support": {
      "email": {
        "profile": "standard",
        "to": [
          "abc@lgmail.com"
        ],
        "subject": "Servicess are currently unavailable",
        "body": {
          "text": "{{ctx.payload}}"
        }
      }
    }
  }
}

system · February 2, 2022, 9:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use Painless to only return a subset of the Watch payload Elasticsearch elastic-stack-alerting	3	712	November 28, 2019
Help: Format The Watcher Email Body Section Elasticsearch elastic-stack-alerting	2	330	March 8, 2022
Watcher Email output Elasticsearch painless	2	322	December 13, 2022
Watcher email html body passed as a stored script Elasticsearch elastic-stack-alerting	3	1545	July 3, 2019
Elastic Watcher Elasticsearch painless	1	125	April 17, 2024

Watcher : Action Body's Text

Related topics