Watcher - issue with search templates

Mariusz_Zyla · November 7, 2017, 9:26am

Hi,

I'm trying to create a watcher with a chain input type as follow:

"input": {
    "chain": {
      "inputs": [
        {
          "constants": {
            "simple": {
              "host_name": "aassddcc.localdomain"
            }
          }
        },
        {
          "host_hits_check": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "metric*"
                ],
                "types": [],
                "template": {
                  "file": "host_hits_template",
                  "lang": "mustache",
                  "params": {
                    "host": "{{ctx.payload.constants.host_name}}"
                  }
                }
              }
            }
          }
        }
      ]
    }
  }

But in this case the value passed to the template is the exact value, the value is not substitute by the host_name from the input constants:

"host_hits_check": {
          "type": "search",
          "status": "success",
          "payload": {
            "_shards": {
              "total": 25,
              "failed": 0,
              "successful": 25,
              "skipped": 0
            },
            "hits": {
              "hits": [],
              "total": 0,
              "max_score": 0
            },
            "took": 10,
            "timed_out": false
          },
          "search": {
            "request": {
              "search_type": "query_then_fetch",
              "indices": [
                "metric*"
              ],
              "types": [],
              "body": {
                "size": 0,
                "query": {
                  "bool": {
                    "must": [
                      {
                        "range": {
                          "@timestamp": {
                            "gt": "now-2m"
                          }
                        }
                      },
                      {
                        "term": {
                          "host.keyword": "{{ctx.payload.constants.host_name}}"
                        }
                      }
                    ]
                  }
                },
                "sort": [
                  {
                    "@timestamp": {
                      "order": "desc"
                    }
                  }
                ]
              },
              "template": {
                "file": "host_hits_template",
                "lang": "mustache",
                "params": {
                  "host": "{{ctx.payload.constants.host_name}}"
                }
              }
            }
          }
        }

In other cases it works properly. For instance when I use a query instead of templates or I use a HTTP input type. The problem is only with passing a value to the parameter of the template.

I use the version 5.6.3 of Elasticsearch and X-Pack.

Do you have any idea how to deal with it ?

Thanks in advance,
Mariusz

spinscale · November 7, 2017, 12:40pm

hey,

what do you mean with in other cases in your reply? Can you elaborate what works?

I havent checked yet, but I'd assume, that resolving fields in the template part of a query does not work. This only works in the body part.

--Alex

Mariusz_Zyla · November 7, 2017, 1:08pm

Thanks Alex,
it works with the other input types. For example:

HTTP Input:

"http_action": {
            "http": {
              "request": {
                "scheme": "http",
                "host": "localhost",
                "port": 9200,
                "method": "get",
                "path": "{{ctx.payload.constants.path}}",
                "params": {},
                "headers": {}
              }
            }
          }

Search Input (query instead of template):

"host_hits_check": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "metric*"
                ],
                "types": [],
                "body": {
                  "query": {
                    "match": {
                      "host": "{{ctx.payload.constants.host_name}}"
                    }
                  }
                }
              }
            }
          }

It seems that your assumption is right that the resolving fields functionality does not work with the templates.

Mariusz

Topic		Replies	Views
Referencing a simple input from a different input in a watcher Elasticsearch elastic-stack-alerting	3	562	December 25, 2018
Watcher chain input example, use case Elasticsearch elastic-stack-alerting	4	5569	July 6, 2017
How to access simple input field from search input Elasticsearch	1	431	December 13, 2018
Watcher: How to use Mustache-Syntax/dynamic values from aggregations in chain-input Elasticsearch elastic-stack-alerting	2	1134	March 11, 2020
Watcher : parsing index to get values to be used in watchers Elasticsearch	3	368	October 24, 2022

Watcher - issue with search templates

Related topics