Watcher Hits in Script Params

luke.snyder · September 22, 2017, 7:25pm

I am attempting to pass some fields from the hits generated by a watch to a painless script so I can index a subset of the fields. Ultimately I would like to be able to pass n number of parameters to the script and have it return them all so that I don't have to write a script for each watch.

Here is my first attempt

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "ctx.payload.hits.hits.0._source.src"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

and my second

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "{{ctx.payload.hits.hits.0._source.src}}"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

And the script

GET _scripts/test
{
  "_id": "test",
  "found": true,
  "script": {
    "lang": "painless",
    "code": "return ['source': params.s]"
  }
}

And the results

{
  "took": 6,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2,
    "max_score": 1,
    "hits": [
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAe-0mBrfvrPng6_j",
        "_score": 1,
        "_source": {
          "source": "ctx.payload.hits.hits.0._source.src"
        }
      },
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAoSDmBrfvrPng_R4",
        "_score": 1,
        "_source": {
          "source": "{{ctx.payload.hits.hits.0._source.src}}"
        }
      }
    ]
  }
}

spinscale · October 2, 2017, 1:07pm

There is no need to pass parameters around, you have full access to the ctx field in a script transform anyway.

luke.snyder · October 2, 2017, 3:44pm

@spinscale Thanks for your response. For the sake of closing this and not have a Wisdom of the Ancients moment, this script I wrote does what I need. It should be fairly easy to extend to solve any need similar to mine.

ArrayList makeEvents(def fields, def hits) {
    ArrayList events = new ArrayList();
    for (hit in hits) {
        Map newHit = new HashMap();
        for (field in fields) {
            newHit[field] = hit._source[field];
        }
        events.add(newHit)
    }
    return events;
}
Map alert = new HashMap();
alert['description'] = ctx.metadata.description ?: 'No Description';
alert['name'] = ctx.metadata.name ?: 'No Name';
alert['type'] = params.type ?: 'Generic';
alert['severity'] = params.severity ?: 'Low';
alert['timestamp'] = ctx.execution_time;
alert['totalhits'] = ctx.payload.hits.total;
alert['events'] = makeEvents(params.fields, ctx.payload.hits.hits);
return alert;

And it is invoked like this

  "actions": {
    "index_events": {
      "transform": {
        "script": {
          "stored": "makealert",
          "params": {
            "fields": [
              "@timestamp",
              "src",
              "dst",
              "dpt",
              "act"
            ],
            "type": "Firewall"
          }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

You can provide an arbitrary list of fields to extract and some metadata about the event and it will index that new data in the events index. An example of the indexed event would be like:

{
    "_index": "events",
    "_type": "event",
    "_id": "AV7OKPeImBrfvrPn9sDU",
    "_score": 1,
    "_source": {
        "totalhits": 92,
        "name": "Watching External DNS Servers",
        "description": "Watching for when clients attempt to use Google DNS for resolution",
        "type": "Firewall",
        "severity": "Low",
        "events": [{
                "@timestamp": "2017-09-29T15:02:06.141Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            },
            {
                "@timestamp": "2017-09-29T15:02:04.250Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            }
        ],
        "timestamp": "2017-09-29T15:02:23.560Z"
    }
}

system · October 30, 2017, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Loop through "source": "['message': ctx.payload.hits.hits.0._source ]", Elasticsearch painless	1	1103	October 26, 2021
Watcher aggregation transform painless question Elasticsearch painless	1	263	November 25, 2022
Passing parameters to Painless script Elasticsearch	4	9771	March 16, 2017
Elastic Watcher Elasticsearch painless	1	125	April 17, 2024
Hashmaps in params Elasticsearch	3	1365	August 10, 2017

Watcher Hits in Script Params

Related Topics