Watcher Hits in Script Params

luke.snyder · September 22, 2017, 7:25pm

I am attempting to pass some fields from the hits generated by a watch to a painless script so I can index a subset of the fields. Ultimately I would like to be able to pass n number of parameters to the script and have it return them all so that I don't have to write a script for each watch.

Here is my first attempt

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "ctx.payload.hits.hits.0._source.src"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

and my second

"actions": {
    "index_events": {
      "transform": {
        "script": {
            "id": "test",
            "params": {
                "s": "{{ctx.payload.hits.hits.0._source.src}}"
            }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

And the script

GET _scripts/test
{
  "_id": "test",
  "found": true,
  "script": {
    "lang": "painless",
    "code": "return ['source': params.s]"
  }
}

And the results

{
  "took": 6,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2,
    "max_score": 1,
    "hits": [
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAe-0mBrfvrPng6_j",
        "_score": 1,
        "_source": {
          "source": "ctx.payload.hits.hits.0._source.src"
        }
      },
      {
        "_index": "events",
        "_type": "event",
        "_id": "AV6rAoSDmBrfvrPng_R4",
        "_score": 1,
        "_source": {
          "source": "{{ctx.payload.hits.hits.0._source.src}}"
        }
      }
    ]
  }
}

spinscale · October 2, 2017, 1:07pm

There is no need to pass parameters around, you have full access to the ctx field in a script transform anyway.

luke.snyder · October 2, 2017, 3:44pm

@spinscale Thanks for your response. For the sake of closing this and not have a Wisdom of the Ancients moment, this script I wrote does what I need. It should be fairly easy to extend to solve any need similar to mine.

ArrayList makeEvents(def fields, def hits) {
    ArrayList events = new ArrayList();
    for (hit in hits) {
        Map newHit = new HashMap();
        for (field in fields) {
            newHit[field] = hit._source[field];
        }
        events.add(newHit)
    }
    return events;
}
Map alert = new HashMap();
alert['description'] = ctx.metadata.description ?: 'No Description';
alert['name'] = ctx.metadata.name ?: 'No Name';
alert['type'] = params.type ?: 'Generic';
alert['severity'] = params.severity ?: 'Low';
alert['timestamp'] = ctx.execution_time;
alert['totalhits'] = ctx.payload.hits.total;
alert['events'] = makeEvents(params.fields, ctx.payload.hits.hits);
return alert;

And it is invoked like this

  "actions": {
    "index_events": {
      "transform": {
        "script": {
          "stored": "makealert",
          "params": {
            "fields": [
              "@timestamp",
              "src",
              "dst",
              "dpt",
              "act"
            ],
            "type": "Firewall"
          }
        }
      },
      "index": {
        "index": "events",
        "doc_type": "event"
      }
    }
  }

You can provide an arbitrary list of fields to extract and some metadata about the event and it will index that new data in the events index. An example of the indexed event would be like:

{
    "_index": "events",
    "_type": "event",
    "_id": "AV7OKPeImBrfvrPn9sDU",
    "_score": 1,
    "_source": {
        "totalhits": 92,
        "name": "Watching External DNS Servers",
        "description": "Watching for when clients attempt to use Google DNS for resolution",
        "type": "Firewall",
        "severity": "Low",
        "events": [{
                "@timestamp": "2017-09-29T15:02:06.141Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            },
            {
                "@timestamp": "2017-09-29T15:02:04.250Z",
                "act": "denied",
                "hitCount": "1",
                "dst": "8.8.8.8",
                "src": "1.2.3.4",
                "dpt": "53"
            }
        ],
        "timestamp": "2017-09-29T15:02:23.560Z"
    }
}

system · October 30, 2017, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending context variable values as a parameter to a stored script Elasticsearch	2	1185	October 9, 2018
Passing ctx fields to stored proc as parameter Elasticsearch elastic-stack-alerting	6	961	November 5, 2018
Unable to use ctx.payload.hits.hits.0._source in transform script Elasticsearch elastic-stack-alerting	3	2598	July 6, 2017
Watcher email to show every hit's message separately Elasticsearch elastic-stack-alerting	4	3655	July 6, 2017
Info from document in watcher alert Elasticsearch elastic-stack-alerting	3	976	July 6, 2017

Watcher Hits in Script Params

Related topics