Watcher alert syntax error

Alexandros888 · April 12, 2021, 5:13pm

Hello,

I have the following watcher alert code.

I simply want to check if 2 specific messages (at least 1 out of 2) exist in the message field of a certain facility named: galaxus-service.

BUT i get the syntax error of image 1 while trying.

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "sag-gelf-logs-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query":
           {
            "bool": {
                "must": 
				[
                         {
                          "match": {
                          "facility": "galaxus-service"
                                   }
                         }
				],
               "filter": 
			   [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-100d"
                            }
                          }
                        }
				],
			   "should": [
			               "bool": 
						  {
                                 "should": [
                                {
                                  "match_phrase": {
                                  "message": "*an HttpOperationFailedException exception was raised:*"
                                                  }
                                },
								{
                                  "match_phrase": {
                                  "message": "*rejectOrderException was raised: 
	                                           com.sagag.fuse.edi4customers.exception.RejectOrderException"
                                                  }
                                }
								
                          ],
                          "minimum_should_match": 1
                        }
					  ]

                   }
                }
             }
          }
        }
       },
       "condition": {
       "compare": {
       "ctx.payload.hits.total": {
        "gt": 0
       }
      }
   }
 }

Why i get that syntax error ?

Thank you!

AClerk · April 13, 2021, 5:12am

-->

			   "should": [
			               "bool",

I dont know if your script is correct, but you have a JSON syntax issue.

Alexandros888 · April 13, 2021, 6:14am

Alexandros888:

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "sag-gelf-logs-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query":
           {
            "bool": {
                "must": 
				[
                         {
                          "match": {
                          "facility": "galaxus-service"
                                   }
                         }
				],
               "filter": 
			   [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-100d"
                            }
                          }
                        }
				],
			   "should": [
			               "bool": 
						  {
                                 "should": [
                                {
                                  "match_phrase": {
                                  "message": "*an HttpOperationFailedException exception was raised:*"
                                                  }
                                },
								{
                                  "match_phrase": {
                                  "message": "*rejectOrderException was raised: 
	                                           com.sagag.fuse.edi4customers.exception.RejectOrderException"
                                                  }
                                }
								
                          ],
                          "minimum_should_match": 1
                        }
					  ]

                   }
                }
             }
          }
        }
       },
       "condition": {
       "compare": {
       "ctx.payload.hits.total": {
        "gt": 0
       }
      }
   }
 }

Hello AClerk. Thank you. But i still dont unerstand why it is wrong. I just have a a should statement within another should statement and in order to implement (a should within should) i have a bool statement between them.

 "should": [
			               "bool": 
						  {
                                 "should": [
                                {
                                  "match_phrase": {
                                  "message": "*an HttpOperationFailedException exception was raised:*"
                                                  }
                                },
								{
                                  "match_phrase": {
                                  "message": "*rejectOrderException was raised: 
	                                           com.sagag.fuse.edi4customers.exception.RejectOrderException"
                                                  }
                                }
								
                          ],
                          "minimum_should_match": 1
                        }
					  ]

Thank you

system · May 11, 2021, 6:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.