Watcher error after upgrade to 6.1

Anabella_Cristaldi · December 18, 2017, 2:07pm

Hi All,
I've been using watcher with ES 5.6.3 and after updating to 6.1 the condition code is not working anymore.
Any help will be appreciated
Here is the error I have

 "exception": {
    "type": "script_exception",
    "reason": "runtime error",
    "script_stack": [
      "calls=ctx.payload.aggregations.origin;",
      "                              ^---- HERE"
    ],
    "script": "def docs=[];def status= false;def calls=ctx.payload.aggregations.origin;for (int i = 0; i < calls.buckets.size(); ++i) {if (calls.buckets[i].grand_total.value > 370){ docs.add(['from' : calls.buckets[i].key , 'gt' : calls.buckets[i].grand_total.value]);status=true} } ctx.vars.alerts=docs; return status",
    "lang": "painless",
    "caused_by": {
      "type": "null_pointer_exception",
      "reason": null,
      "stack_trace": "java.lang.NullPointerException\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:202)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(def docs=[];def status= false;def calls=ctx.payload.aggregations.origin;for (int i = 0; i < calls.buckets.size(); ++i) {if (calls.buckets[i].grand_total.value > 370){ docs.add(['from' : calls.buckets[i].key , 'gt' : calls.buckets[i].grand_total.value]);sta ...:65)\n\tat org.elasticsearch.painless.ScriptImpl.run(ScriptImpl.java:105)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:86)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:77)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:464)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:315)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction.lambda$executeWatch$1(TransportExecuteWatchAction.java:154)\n\tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n\tat java.util.concurrent.FutureTask.run(FutureTask.java:266)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:568)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat java.lang.Thread.run(Thread.java:748)\n"

Watcher code. (Working on ES 5.6.3)

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "temp_sbc"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "terms": {
                    "oper.keyword": [
                      "INTERIM",
                      "STOP"
                    ]
                  }
                },
                {
                  "bool": {
                    "must": [
                      {
                        "range": {
                          "ts_start": {
                            "gte": "2017-11-11T00:05:00.000Z",
                            "lte": "2017-11-11T00:28:00.000Z"
                          }
                        }
                      },
                      {
                        "range": {
                          "ts_stop": {
                            "gte": "2017-11-11T00:05:00.000Z",
                            "lte": "2017-11-11T00:28:00.000Z"
                          }
                        }
                      },
                      {
                        "terms": {
                          "dir.keyword": [
                            "O"
                          ]
                        }
                      }
                    ]
                  }
                }
              ]
            }
          },
          "aggs": {
            "origin": {
              "terms": {
                "field": "from.keyword",
                "size": 10000
              },
              "aggs": {
                "call_ref": {
                  "terms": {
                    "field": "call_ref.keyword",
                    "size": 10000
                  },
                  "aggs": {
                    "total_duration": {
                      "max": {
                        "field": "duration"
                      }
                    }
                  }
                },
                "grand_total": {
                  "sum_bucket": {
                    "buckets_path": "call_ref>total_duration"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "def docs=[];def status= false;def calls=ctx.payload.aggregations.origin;for (int i = 0; i < calls.buckets.size(); ++i) {if (calls.buckets[i].grand_total.value > 370){ docs.add(['from' : calls.buckets[i].key , 'gt' : calls.buckets[i].grand_total.value]);status=true} } ctx.vars.alerts=docs; return status",
      "lang": "painless"
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "level": "info",
        "text": "There are {{#ctx.vars.alerts}} From: {{from}}: Total {{gt}}{{/ctx.vars.alerts}}"
      }
    }
  }
}

spinscale · December 18, 2017, 2:12pm

Hey,

can you share the full output of the execute watch API? Especially the search response is what I am interested in. It looks as if the aggregations are ignored or cannot be read from the response.

Alternatively a search response from the above query would be super useful as well.

--Alex

Anabella_Cristaldi · December 18, 2017, 2:26pm

Hi Alex,
Here is the search response and this is the problem, because returns 0 values; thus the watcher is not wrong... my fault
I'll take a deeper look into the data and I'll let you know.
Thanks a lot
Ana

{
  "took": 6,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "origin": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  }
}

Anabella_Cristaldi · December 18, 2017, 3:47pm

Hi Alex,
I found the problem. Somehow I made a cut and paste mistake in the watcher and was pointing to an incorrect index, that why my search result was empty.
In addition I'll add some control to prevent the watcher to throw such an exception when the aggregation is empty
Thank you very much for your time.
Regards
Ana

system · January 15, 2018, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Script_exception in watcher condition Elasticsearch elastic-stack-alerting	2	858	June 20, 2019
Watcher Error (Runtime error) \| Elasticsearch Elasticsearch elastic-stack-alerting	3	483	September 30, 2019
Issue migrating watchers to latest Elasticsearch elastic-stack-alerting	4	840	November 10, 2017
Watcher Alert on Agg Field & Painless Script Condition Error Elastic Security	2	389	November 4, 2022
Watcher Condition "script" : { "script" : ""}}. Not working Elasticsearch elastic-stack-alerting	8	4688	July 6, 2017

Watcher error after upgrade to 6.1

Related topics