Hi ,
I have the following watcher action :
"send_email": {
"transform": {
"script": {
"source":
"""
def documents = ctx.payload.hits.hits.stream()
.map(hit -> [
"time": hit._source['@timestamp'],
"source.user": hit._source.EventData.SubjectUserName,
"destination.user": hit._source.EventData.TargetUserName,
"message": hit._source.System.Keywords
])
.collect(Collectors.toList());
return documents[0];
"""
}
},
"email" : {
"to" : "<<redacted>>",
"subject" : "Watcher Notification",
"body" : "On {{ctx.payload.time}}, {{ctx.payload.source.user}} is making changes to {{ctx.payload.destination.user}} with message {{ctx.payload.message}}"
}
}
Upon watch execution, I can see that the transform returns expected payload. however, on the action section, some payload are returned while others are not.
transform result :
"transform" : {
"type" : "script",
"status" : "success",
"payload" : {
"time" : "2020-05-29T06:51:54.969Z",
"source.user" : "<redacted>",
"destination.user" : "<redacted>",
"message" : "Audit Success"
}
},
action result. :
"email" : {
"account" : "office365",
"message" : {
"id" : "send_email_modify-ad_eedaa620-e8e6-4984-b33e-9b6fc21b0113-2020-06-09T14:37:47.69609Z",
"from" : "<redacted>",
"sent_date" : "2020-06-09T14:37:47.714366Z",
"to" : [
"<redacted>"
],
"subject" : "Watcher Notification",
"body" : {
"text" : "On 2020-05-29T06:51:54.969Z, is making changes to with message Audit Success"
}
}
}
The time and message field are returned correctly, while source.user and destination.user are just blanks. Strangely enough, putting just {{ctx.payload}} returned all entries.
Did i miss something obvious?
TIA