Watcher email specific field of all hits from the results

Arnav_Sengupta · June 19, 2019, 2:20pm

I have the following input for my watcher

"input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "ccwhaproxy-*"
    ],
    "types": [],
    "body": {
      "query": {
        "bool": {
          "must": [
            {
              "term": {
                "status_code": "200"
              }
            },
            {
              "range": {
                "@timestamp": {
                  "gt": "now-10m/m",
                  "lte": "now"
                }
              }
            }
          ]
        }
      },
      "_source": "backend_name"
    }
  }
}

}

How do I print just the backend name of each hit in my actions in an email?

A single hit might be done by something like this

ctx.payload.hits.hits.<index>.fields.<fieldname>

But how to print each hit's field in a new line?

spinscale · June 19, 2019, 3:01pm

hey,

the way to go here would be a script transform allowing you to change or add something to the existing payload. In this case you would probably have a list of maps, where each map contains the index/fieldname data of each document. Then you can walk through it easily in a mustache template.

--Alex

Arnav_Sengupta · June 19, 2019, 3:20pm

If I wish to do this on an aggregation, is it the same, script tranform?

I am trying to create an html table with each backend name and it's doc_count for my corresponding query

Here is the input

    
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "ccwhaproxy-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "term": {
                    "status_code": "200"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gt": "now-10m/m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "_source": "backend_name",
          "aggs": {
            "unique": {
              "terms": {
                "field": "backend_name.keyword"
              }
            }
          }
        }
      }
    }
 
In my actions, I have an email, body as html

{
  "profile": "standard",
  "attachments": {
    "attached_data": {
      "data": {
        "format": "json"
      }
    }
  },
  "from": "noreply@xxx.com",
  "priority": "high",
  "to": [
    "xxx@xxx.com"
  ],
  "subject": "503 Service Unavailable Alert - CCWHaproxy",
  "body": {

` "html": "<head> <h1>503 Backend Counts</h1> </head><body> <table> <tr><th>Backend Name</th><th>Count</th></tr><tr><td>{{#ctx.payload.aggregations.unique.buckets}}{{key}}{{/ctx.payload.aggregations.unique.buckets}}</td><td>{{#ctx.payload.aggregations.unique.buckets}}{{doc_count}}{{/ctx.payload.aggregations.unique.buckets}}</td></tr></table></body>"`

}
}
 

But this is printing all the keys concatenated in one cell and all the values concatenated in another cell

Arnav_Sengupta · June 19, 2019, 3:58pm

Hi,

I was able to transform using the script. Here is what I get in the results now.

"transform": {
        "type": "script",
        "status": "success",
        "payload": {
          "_value": [
            {
              "/configesearch": 6618
            },
            {
              "/v1/listprice/listpriceservice": 1954
            },
            {
              "/v2/search/itemsearch": 1762
            },
            {
              "/gdrservice": 415
            },
            {
              "/proxystats": 342
            },
            {
              "/v1/ccw/price": 322
            },
            {
              "/v1/ac/accuprice": 149
            },
            {
              "/v1/LPCESUtility/lpcesutility": 56
            },
            {
              "/v1/catalog/lpcatalogservices": 19
            },
            {
              "/v1/ac/accnxtgen": 7
            }
          ]
        }
      }

Now how do I iterate over each element in this list of _value and make a table row with two cells for each key and value?

I am new to Moustache and Scripting. Any help is much appreciated.

Thanks!

spinscale · June 20, 2019, 10:52am

hey

you should probably have a map as each element of the array like

"key":"/configesearch",
"value":6618

This way you could access all elements in mustache like this (on top of my head, not tested)

{{#ctx.payload._value}}{{key}} has value {{value}}{{/ctx.payload._value}}

system · July 18, 2019, 10:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create a watch that email specific field from input index? Elasticsearch elastic-stack-alerting	18	6851	July 6, 2017
Watcher email to show every hit's message separately Elasticsearch elastic-stack-alerting	4	3610	July 6, 2017
Loop through "source": "['message': ctx.payload.hits.hits.0._source ]", Elasticsearch painless	1	1103	October 26, 2021
Watcher - Sending x number of emails per hit Elasticsearch	7	1482	May 21, 2018
Watcher - trying to print all document hits from search results Kibana	2	326	May 25, 2023

Watcher email specific field of all hits from the results

Related Topics