Watcher ignores metadata fields

agone · April 17, 2019, 9:00am

Hi,
I am trying to use some static data in my watch, but for some reason metadata fields are not being passed into watch configuration.
This is what I get in watch log:

{
  "watch_id": "test",
  "node": "QR_NojCGT3WwGhk8TL4mtw",
  "state": "execution_not_needed",
  "user": "admin",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-04-17T08:55:45.787Z"
    },
    "last_checked": "2019-04-17T08:56:45.424Z",
    "actions": {
      "log": {
        "ack": {
          "timestamp": "2019-04-17T08:55:45.787Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "execution_not_needed",
    "version": -1
  },
  "trigger_event": { ... },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "networklogs-cisco-{{ctx.metadata.index}}*",
          "networklogs-fortinet-{{ctx.metadata.index}}*"
        ],
        "types": [
          "doc"
        ],
        "body": {
          "size": 50,
          "_source": [
            "@timestamp",
            "message"
          ],
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "event.created": {
                      "gte": "now-{{ctx.metadata.time_window}}"
                    }
                  }
                },
                {
                  "term": {
                    "destination.port": 445
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "metadata": {
    "time_window": "60s",
    "index": "test",
    "message": "log works"
  },
  "result": {
    "execution_time": "2019-04-17T08:56:45.424Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 0,
          "failed": 0,
          "successful": 0,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 0,
          "max_score": 0
        },
        "took": 0,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "networklogs-cisco-{{ctx.metadata.index}}*",
            "networklogs-fortinet-{{ctx.metadata.index}}*"
          ],
          "types": [
            "doc"
          ],
          "body": {
            "size": 50,
            "_source": [
              "@timestamp",
              "message"
            ],
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "event.created": {
                        "gte": "now-60s"
                      }
                    }
                  },
                  {
                    "term": {
                      "destination.port": 445
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 0
        }
      }
    },
    "actions": []
  },
  "messages": []
}

Any advice?

spinscale · April 18, 2019, 12:30am

hey,

currently only the body field of the search request gets templated, not the indices list. Feel free to open an issue about that in the Elasticsearch repository

For now, you will have to hardcode the index names instead of using metadata (which feels ok based on your sample, as the metadata is as static as the search input within the context of a watch).

--Alex

system · May 16, 2019, 12:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.