Watcher Hits in Script Params

I am attempting to pass some fields from the hits generated by a watch to a painless script so I can index a subset of the fields. Ultimately I would like to be able to pass n number of parameters to the script and have it return them all so that I don't have to write a script for each watch.

Here is my first attempt

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "ctx.payload.hits.hits.0._source.src"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

and my second

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "{{ctx.payload.hits.hits.0._source.src}}"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

And the script

GET _scripts/test
{
  "_id": "test",
  "found": true,
  "script": {
    "lang": "painless",
    "code": "return ['source': params.s]"
  }
}

And the results

{
  "took": 6,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2,
    "max_score": 1,
    "hits": [
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAe-0mBrfvrPng6_j",
        "_score": 1,
        "_source": {
          "source": "ctx.payload.hits.hits.0._source.src"
        }
      },
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAoSDmBrfvrPng_R4",
        "_score": 1,
        "_source": {
          "source": "{{ctx.payload.hits.hits.0._source.src}}"
        }
      }
    ]
  }
}

There is no need to pass parameters around, you have full access to the ctx field in a script transform anyway.

@spinscale Thanks for your response. For the sake of closing this and not have a Wisdom of the Ancients moment, this script I wrote does what I need. It should be fairly easy to extend to solve any need similar to mine.

ArrayList makeEvents(def fields, def hits) {
    ArrayList events = new ArrayList();
    for (hit in hits) {
        Map newHit = new HashMap();
        for (field in fields) {
            newHit[field] = hit._source[field];
        }
        events.add(newHit)
    }
    return events;
}
Map alert = new HashMap();
alert['description'] = ctx.metadata.description ?: 'No Description';
alert['name'] = ctx.metadata.name ?: 'No Name';
alert['type'] = params.type ?: 'Generic';
alert['severity'] = params.severity ?: 'Low';
alert['timestamp'] = ctx.execution_time;
alert['totalhits'] = ctx.payload.hits.total;
alert['events'] = makeEvents(params.fields, ctx.payload.hits.hits);
return alert;

And it is invoked like this

  "actions": {
    "index_events": {
      "transform": {
        "script": {
          "stored": "makealert",
          "params": {
            "fields": [
              "@timestamp",
              "src",
              "dst",
              "dpt",
              "act"
            ],
            "type": "Firewall"
          }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

You can provide an arbitrary list of fields to extract and some metadata about the event and it will index that new data in the events index. An example of the indexed event would be like:

{
    "_index": "events",
    "_type": "event",
    "_id": "AV7OKPeImBrfvrPn9sDU",
    "_score": 1,
    "_source": {
        "totalhits": 92,
        "name": "Watching External DNS Servers",
        "description": "Watching for when clients attempt to use Google DNS for resolution",
        "type": "Firewall",
        "severity": "Low",
        "events": [{
                "@timestamp": "2017-09-29T15:02:06.141Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            },
            {
                "@timestamp": "2017-09-29T15:02:04.250Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            }
        ],
        "timestamp": "2017-09-29T15:02:23.560Z"
    }
}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.