Watcher one field value in a json array

Hey there, I am really new to Watcher and I was hoping someone could answer my question and help me as much as they can.

I am looking to set a watcher that will tell me when a DNS response name has been found in my "links" field. If they are a match than it should log / send email etc.

My question is, can a watcher find if the response is contained in the array? And if so how exactly would one go about writing a watcher like that.
I read a bit about the chain watcher ability where I can basically search two different queries and if they match I can then alarm based on it. I took the skeleton that looks something along the lines of this but I am really unsure this will work :\

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"simple": {
"Links": ""
}
}
}
},
{
"second": {
"simple": {
"dns.question.name": "
"
}
}
}
]
}
},
"condition": {
"script": {
"source": "return ctx.payload.second.value.equals(ctx.payload.first.value)"
}
},
"actions": {
"log": {
"logging": {
"text": "they are equal!"
}
}
}
}

My custom Json Array - "Links"

My field of dns response field
image

Hey,

take a look at this example

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "10h"
      }
    },
    "input": {
      "simple": {
        "first": {
          "dns": {
            "question": {
              "name": "example.org"
            }
          }
        },
        "second": {
          "links": [
            "https://www.test.de",
            "https://example.org/foo"
          ]
        }
      }
    },
    "condition": {
      "script": "return ctx.payload.second.links.stream().anyMatch(link -> link.contains(ctx.payload.first.dns.question.name))"
    },
    "actions": {
      "logme": {
        "logging": {
          "text": "{{ctx}}"
        }
      }
    }
  }
}

that should help to get you started

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.