Watcher - how to call values out of the aggregation that triggers an alert into xml for a webhook action

Elastic Stack Elasticsearch
1

Hi elastic community!

We have watcher alerts now hooked up to an internal alerting/ticketing system using webhook with an xml body. That is all working. I'm wondering how I can call values from the aggregations that trigger the alerts in the xml so that the alert titles/details have meaningful info. For example, if I look at watch history, here is a bucket. I'd want to format the xml to include the value and the key. For example:

Java heap usage is %value% on %key% 

                                         "doc_count": 3,
                                         "memory": {
                                            "value": 72
                                         },
                                         "key": "node7"

That same data is available in the index we're creating with the index payload action of the watch. But I assume there is a way to grab the values that are triggering the webhook action at the time and insert them into the call them within the xml body?

Can you help with this? I'm including the watch definition below. (yes, the threshold is 0, but that's just for testing. :))

Thanks,
Casie

PUT _watcher/watch/watch_jvmheapusedpercenttoxaptest
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
".marvel-*"
],
"search_type": "count",
"body": {
"query": {
"filtered": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-2m",
"lte": "now"
}
}
}
}
},
"aggs": {
"minutes": {
"date_histogram": {
"field": "@timestamp",
"interval": "minute"
},
"aggs": {
"nodes": {
"terms": {
"field": "node.name.raw",
"size": 10,
"order": {
"memory": "desc"
}
},
"aggs": {
"memory": {
"avg": {
"field": "jvm.mem.heap_used_percent"
}
}
}
}
}
}
}
}
}
}
},
"throttle_period": "30m",
"condition": {
"script": "if (ctx.payload.aggregations.minutes.buckets.size() == 0) return false; def latest = ctx.payload.aggregations.minutes.buckets[-1]; def node = latest.nodes.buckets[0]; return node && node.memory && node.memory.value >= 0;"
},
"actions": {
"index_payload": {
"index": {
"index": "watch_jvmheapusedpercent",
"doc_type": "watch_record"
}
},
"xap_webhook": {
"webhook": {
"method": "POST",
"host": "www.example.com",
"port": 443,
"scheme": "https",
"headers": {
"Content-Type": "application/xml",
"accept": "text/xml"
},
"path": "/xap",
"body": bunch of xml
}
}
}
}

2

Hey Casie,

so the index action is just using ctx.payload as the document and indexes it into the watch_jvmheapusedpercent index. You can refer to that in the body by using "body" : "{{ctx.payload.path.to.value.you.want.to.refer}}".

Is that what you want, or did I misread your question?

--Alex

3

Yeah, that's what we ended up doing. Thanks for the response,

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.