Watcher - issue with search templates

Mariusz_Zyla · November 7, 2017, 9:26am

Hi,

I'm trying to create a watcher with a chain input type as follow:

"input": {
    "chain": {
      "inputs": [
        {
          "constants": {
            "simple": {
              "host_name": "aassddcc.localdomain"
            }
          }
        },
        {
          "host_hits_check": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "metric*"
                ],
                "types": [],
                "template": {
                  "file": "host_hits_template",
                  "lang": "mustache",
                  "params": {
                    "host": "{{ctx.payload.constants.host_name}}"
                  }
                }
              }
            }
          }
        }
      ]
    }
  }

But in this case the value passed to the template is the exact value, the value is not substitute by the host_name from the input constants:

"host_hits_check": {
          "type": "search",
          "status": "success",
          "payload": {
            "_shards": {
              "total": 25,
              "failed": 0,
              "successful": 25,
              "skipped": 0
            },
            "hits": {
              "hits": [],
              "total": 0,
              "max_score": 0
            },
            "took": 10,
            "timed_out": false
          },
          "search": {
            "request": {
              "search_type": "query_then_fetch",
              "indices": [
                "metric*"
              ],
              "types": [],
              "body": {
                "size": 0,
                "query": {
                  "bool": {
                    "must": [
                      {
                        "range": {
                          "@timestamp": {
                            "gt": "now-2m"
                          }
                        }
                      },
                      {
                        "term": {
                          "host.keyword": "{{ctx.payload.constants.host_name}}"
                        }
                      }
                    ]
                  }
                },
                "sort": [
                  {
                    "@timestamp": {
                      "order": "desc"
                    }
                  }
                ]
              },
              "template": {
                "file": "host_hits_template",
                "lang": "mustache",
                "params": {
                  "host": "{{ctx.payload.constants.host_name}}"
                }
              }
            }
          }
        }

In other cases it works properly. For instance when I use a query instead of templates or I use a HTTP input type. The problem is only with passing a value to the parameter of the template.

I use the version 5.6.3 of Elasticsearch and X-Pack.

Do you have any idea how to deal with it ?

Thanks in advance,
Mariusz

spinscale · November 7, 2017, 12:40pm

hey,

what do you mean with in other cases in your reply? Can you elaborate what works?

I havent checked yet, but I'd assume, that resolving fields in the template part of a query does not work. This only works in the body part.

--Alex

Mariusz_Zyla · November 7, 2017, 1:08pm

Thanks Alex,
it works with the other input types. For example:

HTTP Input:

"http_action": {
            "http": {
              "request": {
                "scheme": "http",
                "host": "localhost",
                "port": 9200,
                "method": "get",
                "path": "{{ctx.payload.constants.path}}",
                "params": {},
                "headers": {}
              }
            }
          }

Search Input (query instead of template):

"host_hits_check": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "metric*"
                ],
                "types": [],
                "body": {
                  "query": {
                    "match": {
                      "host": "{{ctx.payload.constants.host_name}}"
                    }
                  }
                }
              }
            }
          }

It seems that your assumption is right that the resolving fields functionality does not work with the templates.

Mariusz

system · December 5, 2017, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Referencing a simple input from a different input in a watcher Elasticsearch elastic-stack-alerting	3	509	December 25, 2018
Watcher chain input, matching result set not found in action results Elasticsearch elastic-stack-alerting	2	497	October 23, 2019
How to access simple input field from search input Elasticsearch	1	416	December 13, 2018
Watcher Timestamp showing in EPOCH Elasticsearch elastic-stack-alerting	4	903	October 1, 2021
Unable to parse custom X-pack watcher Elasticsearch	9	2150	June 11, 2018

Watcher - issue with search templates

Related topics