Watcher Configuration to print results in Email

alerting

(Sanket Jain) #1

Guys,

I have looked all over the internet, and i cant seem to get a simple answer at all.
So, we have an watcher configuration which triggers an email when a particular condition is satisfied.
But, it prints only the hits.
Now, can anyone please tell me in simple code, how to print the payload in the email action.

Here is my watcher configuration

{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"my-index-*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "system.cpu.total.pct : [0.3 TO *]"
}
},
{
"range": {
"@timestamp": {
"gte": "now-7d"
}
}
}
]
}
},
"_source": [
"message"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"myemail@mydomain.com"
],
"subject": "Warning: High CPU Utilization",
"body": {
"text": "{{ctx.payload.hits.total}} Times the CPU Utilization has crossed the threshold value {{#ctx.payload._value}}{{.}}:{{/ctx.payload._value}}"
}
}
}
},
"throttle_period_in_millis": 60000
}
sample_cpu_watcher.json
Displaying sample_cpu_watcher.json.


(Sergey) #2

Hey,

Here is useful link

Email action


(Sanket Jain) #3

Hi Sergey, Thanks for the reply.

I can see some data, but nothing in the link which helps me print a particular field in the Elastic index.

if had a field a in the response, how do i get that into the email body ?

ctx.payload.fieldname ?


(Guillaume Dufrenne) #4

You have to understand that your payload may contain many hits and you can access the them just via the JSON array .
So
if you have X hits , you should do like this .

{{#ctx.payload.hits.hits}}{{thefieldname}}{{/ctx.payload.hits.hits}}

If you have only 1 hit in the payload .
Value : {{ctx.payload.hits.hits.0.thefieldname}}

So in your case :slight_smile:

{{ctx.payload.hits.total}} Times the CPU Utilization has crossed the threshold value {{#ctx.payload.hits.hits}}{{value}}:{{/ctx.payload.hits.hits}}


(Sanket Jain) #5

Hi friend, thank you .. I tried and got this .... 1033 times the CPU Utilization has crossed the threshold value ::::::::::

Just dots :frowning:


(Sanket Jain) #6

@elastock @spinscale Any thoughts on my above reply ?


(Guillaume Dufrenne) #7

you have to replace {{value}} by the fieldname
in your case i think it is .

but it may have a problem because of the dots in the fieldname .
Lets try .


(rich collier) #8

I assume that you will eventually change this watch to:

a) be more "real-time" (i.e. be over the last X minutes, not over the last 7 days)
b) set a more realistic threshold for CPU utilization
c) print useful contextual information, as in, the name of the host that had the high CPU for example

If you have time, may I suggest reviewing some of our example watches in our public Github repo:

They may give you additional ideas.


(Sanket Jain) #9

I most certainly am going to go for more complex patterns, but i seem to be stonewalled by the basics.

See the watcher output below, i see no fields in the output, which would explain why i cant access any of them in my email body.
How can i get the fields to flow in ? @elastock


(Sanket Jain) #10

{
"watch_id": "serviceABC",
"node": "xGdwQzxQTryzn1x9u-KFhw",
"state": "executed",
"status": {
"state": {
"active": true,
"timestamp": "2018-06-20T04:28:XX.XX"
},
"last_checked": "2018-06-20T04:29:49.120Z",
"last_met_condition": "2018-06-20T04:29:49.120Z",
"actions": {
"send_email": {
"ack": {
"timestamp": "2018-06-20T04:29:16.567Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2018-06-20T04:29:49.120Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2018-06-20T04:29:49.120Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "schedule",
"triggered_time": "2018-06-20T04:29:49.120Z",
"schedule": {
"scheduled_time": "2018-06-20T04:29:48.758Z"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index_name-*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "my_fieldname: [0.2 TO ]"
}
},
{
"range": {
"@timestamp": {
"gte": "now-7d"
}
}
}
]
}
},
"_source": [
"message"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"metadata": {
"name": "CPU util. check",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2018-06-20T04:29:XX.XX",
"execution_duration": 598,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 22,
"failed": 0,
"successful": 22,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "gM5xG2QBlZxOw2VhYARB",
"sort": [
1529468771416
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "Js5xG2QBlZxOw2VhVQSi",
"sort": [
1529468768641
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529468406117
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529468165110
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529468046117
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529468036117
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529467871416
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529467868641
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529467718641
],
"_score": null
},
{
"_index": "my_index-2018.06.20",
"_type": "doc",
"_source": {},
"_id": "xxxx",
"sort": [
1529467708641
],
"_score": null
}
],
"total": 6715,
"max_score": null
},
"took": 86,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"my_index-
"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "my_field : [0.2 TO *]"
}
},
{
"range": {
"@timestamp": {
"gte": "now-7d"
}
}
}
]
}
},
"_source": [
"message"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 6715
}
}
},
"actions": [
{
"id": "send_email",
"type": "email",
"status": "success",
"email": {
"account": "smtp_account",
"message": {
"id": "watcher_ID_xxxxx-2018-06-20T04:29:49.120Z",
"from": "xyzemail@abc.com",
"sent_date": "2018-06-20T04:29:49.xx.xx",
"to": [
"myemail@abc.com"
],
"subject": "High CPU Utilization in past 7 days",
"body": {
"text": " "
}
}
}
}
]
},
"messages": []
}


(Guillaume Dufrenne) #11

i'm not really sure , but you can try this

                             {
                                    "query_string": {
                                        "query": "my_field : [0.2 TO *]",
                                        "analyze_wildcard": true
                                    }
                                },

and delete

                        "_source": [
                        "message"
                    ],

(Alexander Reelsen) #12

Hey,

I just saw this snippet in your execute watch API output. I do not think that _value has been populated, as ctx.payload.hits.total is set. Maybe you want to use {{#ctx.payload.hits.hits}} and loop through the result set?

Also, please format your code snippets properly, thisi s nearly impossible to read. You can use markdown in this forum. Thank you!

--Alex


(Alex) #13

You might find this page helpful:

https://www.vodori.com/helpful-mustache-template-tips/


(system) #14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.