Watcher ignores metadata fields

Elastic Stack Elasticsearch
1

Hi,
I am trying to use some static data in my watch, but for some reason metadata fields are not being passed into watch configuration.
This is what I get in watch log:

{
  "watch_id": "test",
  "node": "QR_NojCGT3WwGhk8TL4mtw",
  "state": "execution_not_needed",
  "user": "admin",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-04-17T08:55:45.787Z"
    },
    "last_checked": "2019-04-17T08:56:45.424Z",
    "actions": {
      "log": {
        "ack": {
          "timestamp": "2019-04-17T08:55:45.787Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "execution_not_needed",
    "version": -1
  },
  "trigger_event": { ... },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "networklogs-cisco-{{ctx.metadata.index}}*",
          "networklogs-fortinet-{{ctx.metadata.index}}*"
        ],
        "types": [
          "doc"
        ],
        "body": {
          "size": 50,
          "_source": [
            "@timestamp",
            "message"
          ],
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "event.created": {
                      "gte": "now-{{ctx.metadata.time_window}}"
                    }
                  }
                },
                {
                  "term": {
                    "destination.port": 445
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "metadata": {
    "time_window": "60s",
    "index": "test",
    "message": "log works"
  },
  "result": {
    "execution_time": "2019-04-17T08:56:45.424Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 0,
          "failed": 0,
          "successful": 0,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 0,
          "max_score": 0
        },
        "took": 0,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "networklogs-cisco-{{ctx.metadata.index}}*",
            "networklogs-fortinet-{{ctx.metadata.index}}*"
          ],
          "types": [
            "doc"
          ],
          "body": {
            "size": 50,
            "_source": [
              "@timestamp",
              "message"
            ],
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "event.created": {
                        "gte": "now-60s"
                      }
                    }
                  },
                  {
                    "term": {
                      "destination.port": 445
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 0
        }
      }
    },
    "actions": []
  },
  "messages": []
}

Any advice?

2

hey,

currently only the body field of the search request gets templated, not the indices list. Feel free to open an issue about that in the Elasticsearch repository

For now, you will have to hardcode the index names instead of using metadata (which feels ok based on your sample, as the metadata is as static as the search input within the context of a watch).

--Alex

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.