Watcher error when executing the watch

Elastic Stack Elasticsearch
1

Hi,

Im pretty new to watcher and painless. I'm getting this error and I have no clue why. Can you guys help me out for this one?

What i need to do is retrieve the value of "SAM Account Name: " in the ES item called "message" ( see screenshot below). So after trial and error scripting i came up with that script. It looks good but a little something seems to be missing. I'm getting this error: StringIndexOutOfBoundsException[String index out of range: -1] as soon as I execute the watch.

{
"trigger": {
"schedule": {
"hourly": {
"minute": [
0
]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"v7-*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "A user account was created",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-60m"
}
}
}
]
}
}
}
},
"timeout_in_millis": 60000
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"Create_zendesk_ticket": {
"transform": {
"script": {
"inline": "def items = ctx.payload.hits.hits.collect(item -> ['cluster': item._source.cluster, 'message': item._source.message]);def users = ;def start_i=0;def end_i=0;for (item in items){start_i = item['message'].lastIndexOf('SAM Account Name:');end_i = item['message'].lastIndexOf('Display Name');users.add(item['cluster'].substring(start_i,end_i));}HashSet hashusers = new HashSet(users); return ['ticket': ['body': items,'requester': ['name': 'Ops Internal', 'email': '%emailhere%'], 'subject': 'An account was created on the following clusters', 'comment': String.join('\n',hashusers), 'priority': 'normal', 'tags': ['reccurent', 'ops', 'internal']]];",
"lang": "painless"
}
},
"webhook": {
"scheme": "https",
"host": "hosthere",
"port": 443,
"method": "post",
"path": "/apipathgoeshere/",
"params": {},
"headers": {
"Content-Type": "application/json"
},
"auth": {
"basic": {
"username": "usernamehere",
"password": "passwordhere"
}
},
"body": "{{#toJson}}ctx.payload{{/toJson}}"
}
}
}
}

2

chrome_2018-02-12_14-14-09

3

can you use the Execute Watch API and paste the output here? Otherwise it is super hard to help without having further information.

My current guess is that one of your lastIndexOf or substring calls uses a wrong offset.

4

The output cant really be pasted here. That beeing said

hits.total : 283861 this look suspicious :thinking:

"condition": {
    "type": "compare",
    "status": "success",
    "met": true,
    "compare": {
      "resolved_values": {
        "ctx.payload.hits.total": 283861
      }
    }
  },
  "actions": [
    {
      "id": "Create_zendesk_ticket",
      "type": "webhook",
      "status": "failure",
      "transform": {
        "type": "script",
        "status": "failure",
        "reason": "ScriptException[runtime error]; nested: StringIndexOutOfBoundsException[String index out of range: -1]; "
      },
      "reason": "Failed to transform payload"
    }
  ]
},
"messages": []

}
}

5

Please use something like gist or pastebin or paste the full watch.

Also, please try to run the search query first in isolation to see if matches your expections. In this example you seem to run OR combined queries in the query_string query which could explain that many results.

When pasting the execute watch API response others can see the search response, making it easier to see why your script failed.

6

Here is a pastebin:

https://pastebin.com/2C2LqyHg

7

I reworked my watch. Now I'm getting the expected number of results. That beeing said i'm still getting

"reason": "ScriptException[runtime error]; nested: StringIndexOutOfBoundsException[String index out of range: -1]; "

You can see the _execute result above in the pastebin link :frowning:

8

your field is named Message while you referred to it in the script you provided as message. Field names are case sensitive.

The out of bounds exception could result from a couple of calls, as you dont do any checking on length or content before using substring, lastIndexOf, which are the most likely candidates.

The transform does not properly bubble show our awesome painless exceptions. If you put the script for testing into the condition, you should be able to see a more proper stack trace, where exactly the script failed.

--Alex

9

out of curiosity: What ES version are you running on?

10

Hi Alexander,

We're running 5.3. in prod. We're migrating to 6.1.1 tonight :blush: That being said if you look at the pastebin again there is 2 fields named "message". 1 is lower case and the other one is Upper case. The information i'm looking for is in the lower case one :smiley:

11

hope everything went well. The reason for my ask is, that starting from ES 6.1 we will have proper exceptions with scripting issues, so that it should be super simple to find the offending code snippet, when you call the execute watch API.

--Alex

13

I managed to finally figured it out... i removed the unnecessary .substring

users.add(item['cluster'].substring(start_i,end_i))

for

users.add(item['cluster'])

Working as expected now :star_struck:

1 Like
14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.