Watcher error when executing the watch

Maxime_Poirier-Journ · February 12, 2018, 7:17pm

Hi,

Im pretty new to watcher and painless. I'm getting this error and I have no clue why. Can you guys help me out for this one?

What i need to do is retrieve the value of "SAM Account Name: " in the ES item called "message" ( see screenshot below). So after trial and error scripting i came up with that script. It looks good but a little something seems to be missing. I'm getting this error: StringIndexOutOfBoundsException[String index out of range: -1] as soon as I execute the watch.

{
"trigger": {
"schedule": {
"hourly": {
"minute": [
0
]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"v7-*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "A user account was created",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-60m"
}
}
}
]
}
}
}
},
"timeout_in_millis": 60000
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"Create_zendesk_ticket": {
"transform": {
"script": {
"inline": "def items = ctx.payload.hits.hits.collect(item -> ['cluster': item._source.cluster, 'message': item._source.message]);def users = ;def start_i=0;def end_i=0;for (item in items){start_i = item['message'].lastIndexOf('SAM Account Name:');end_i = item['message'].lastIndexOf('Display Name');users.add(item['cluster'].substring(start_i,end_i));}HashSet hashusers = new HashSet(users); return ['ticket': ['body': items,'requester': ['name': 'Ops Internal', 'email': '%emailhere%'], 'subject': 'An account was created on the following clusters', 'comment': String.join('\n',hashusers), 'priority': 'normal', 'tags': ['reccurent', 'ops', 'internal']]];",
"lang": "painless"
}
},
"webhook": {
"scheme": "https",
"host": "hosthere",
"port": 443,
"method": "post",
"path": "/apipathgoeshere/",
"params": {},
"headers": {
"Content-Type": "application/json"
},
"auth": {
"basic": {
"username": "usernamehere",
"password": "passwordhere"
}
},
"body": "{{#toJson}}ctx.payload{{/toJson}}"
}
}
}
}

Maxime_Poirier-Journ · February 12, 2018, 7:20pm

chrome_2018-02-12_14-14-09

spinscale · February 13, 2018, 9:46am

can you use the Execute Watch API and paste the output here? Otherwise it is super hard to help without having further information.

My current guess is that one of your lastIndexOf or substring calls uses a wrong offset.

Maxime_Poirier-Journ · February 15, 2018, 5:59pm

The output cant really be pasted here. That beeing said

hits.total : 283861 this look suspicious

"condition": {
    "type": "compare",
    "status": "success",
    "met": true,
    "compare": {
      "resolved_values": {
        "ctx.payload.hits.total": 283861
      }
    }
  },
  "actions": [
    {
      "id": "Create_zendesk_ticket",
      "type": "webhook",
      "status": "failure",
      "transform": {
        "type": "script",
        "status": "failure",
        "reason": "ScriptException[runtime error]; nested: StringIndexOutOfBoundsException[String index out of range: -1]; "
      },
      "reason": "Failed to transform payload"
    }
  ]
},
"messages": []

}
}

spinscale · February 16, 2018, 8:12am

Please use something like gist or pastebin or paste the full watch.

Also, please try to run the search query first in isolation to see if matches your expections. In this example you seem to run OR combined queries in the query_string query which could explain that many results.

When pasting the execute watch API response others can see the search response, making it easier to see why your script failed.

Maxime_Poirier-Journ · February 20, 2018, 7:14pm

Here is a pastebin:

https://pastebin.com/2C2LqyHg

Maxime_Poirier-Journ · February 20, 2018, 8:18pm

I reworked my watch. Now I'm getting the expected number of results. That beeing said i'm still getting

"reason": "ScriptException[runtime error]; nested: StringIndexOutOfBoundsException[String index out of range: -1]; "

You can see the _execute result above in the pastebin link

spinscale · February 21, 2018, 8:15am

your field is named Message while you referred to it in the script you provided as message. Field names are case sensitive.

The out of bounds exception could result from a couple of calls, as you dont do any checking on length or content before using substring, lastIndexOf, which are the most likely candidates.

The transform does not properly bubble show our awesome painless exceptions. If you put the script for testing into the condition, you should be able to see a more proper stack trace, where exactly the script failed.

--Alex

spinscale · February 21, 2018, 8:37am

out of curiosity: What ES version are you running on?

Maxime_Poirier-Journ · February 21, 2018, 2:03pm

Hi Alexander,

We're running 5.3. in prod. We're migrating to 6.1.1 tonight That being said if you look at the pastebin again there is 2 fields named "message". 1 is lower case and the other one is Upper case. The information i'm looking for is in the lower case one

spinscale · February 22, 2018, 8:25am

hope everything went well. The reason for my ask is, that starting from ES 6.1 we will have proper exceptions with scripting issues, so that it should be super simple to find the offending code snippet, when you call the execute watch API.

--Alex

Maxime_Poirier-Journ · February 22, 2018, 9:25pm

I managed to finally figured it out... i removed the unnecessary .substring

users.add(item['cluster'].substring(start_i,end_i))

for

users.add(item['cluster'])

Working as expected now

system · March 22, 2018, 9:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.