Hi,
Is it possible to configure watcher alerts to email users based on a role?
If not, I dont have a distribution list so would like to be able to added and remove users form all watcher alerts without having to go through and edit them all individually. Is this possible?
Hello @spike83
Would be acceptable for you to have a document in one index for each "role" which contains a list of emails?
If yes, we can get them in a chain input and reuse them in the email action.
On which version are you?
HI Luca,
This could be possible it's a new cluster so anything can be possible.
We are running 7.6.2
This is one possible solution.
Store the role / emails as follows in the emails index:
POST emails/_doc/1
{
"role": "role1",
"emails": [ "one@company.com", "two@company.com"]
}
POST emails/_doc/2
{
"role": "role2",
"emails": [ "three@company.com", "one@company.com"]
}
The Watch can be written with a chain input.
On the first one, we search for the data to be used for the conditions, while the second one is used to grab all the roles/emails pairs.
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"chain": {
"inputs": [
{
"data": {
"search": {
"request": {
"indices": [
"logstash-*"
],
"body": {
"query": {
"match_all": {}
}
}
}
}
}
},
{
"emails": {
"search": {
"request": {
"indices": [
"emails"
],
"body": {
"query": {
"match_all": {}
}
}
}
}
}
}
]
}
},
"condition": {
"always": {}
},
"transform": {
"script": """
// This line can be replaced so we can get the role depending on the data we have in ctx.payload.data
def role = 'role1';
if (ctx.payload.emails.hits.total > 0) {
ctx.payload.emails = ctx.payload.emails.hits.hits.stream().filter(e -> e._source.role == role).map(s -> s._source.emails).findFirst().orElse([]);
}
return ctx.payload;
"""
},
"actions": {
"send_email": {
"email": {
"subject": "TEST Alert from Watcher",
"to": "{{#join}}ctx.payload.emails{{/join}}",
"body": "Test message"
}
},
"logging": {
"logging": {
"text": "{{ctx.payload.emails}}"
}
}
}
}
}
In this example, the destination role is hardcoded to role1, but it can be derived by the data found in ctx.payload.data.
If instead you know that the Watch must trigger an alert to a specific role in advance (it is not dynamic depending on the data), you can use:
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"chain": {
"inputs": [
{
"data": {
"search": {
"request": {
"indices": [
"logstash-*"
],
"body": {
"query": {
"match_all": {}
}
}
}
}
}
},
{
"emails": {
"search": {
"extract": ["hits.hits"],
"request": {
"indices": [
"emails"
],
"body": {
"query": {
"term": {
"role.keyword": { "value": "role1" }
}
}
}
}
}
}
}
]
}
},
"condition": {
"always": {}
},
"actions": {
"send_email": {
"email": {
"subject": "TEST Alert from Watcher",
"to": "{{#join}}ctx.payload.emails.hits.hits.0._source.emails{{/join}}",
"body": "Test message"
}
},
"logging": {
"logging": {
"text": "{{ctx.payload}}"
}
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.