Watcher parse an array

Hi all,

I try to monitor some events with watcher but I can't find the solution to parse the hits of the array below

{
"watch_id": "inlined",
"node": "*************",
"state": "executed",
"status": {
"state": {
"active": true,
"timestamp": "2020-02-25T06:20:38.759Z"
},
"last_checked": "2020-02-25T06:20:38.760Z",
"last_met_condition": "2020-02-25T06:20:38.760Z",
"actions": {
"email_admin": {
"ack": {
"timestamp": "2020-02-25T06:20:38.759Z",
"state": "awaits_successful_execution"
},
"last_execution": {
"timestamp": "2020-02-25T06:20:38.760Z",
"successful": false,
"reason": ""
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2020-02-25T06:20:38.760Z",
"manual": {
"schedule": {
"scheduled_time": "2020-02-25T06:20:38.760Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"
"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-120m",
"lte": "now"
}
}
},
{
"terms": {
"event.code": [
"4728",
"4729"
]
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"metadata": {
"name": "Security Group",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2020-02-25T06:20:38.760Z",
"execution_duration": 690,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 7,
"failed": 0,
"successful": 7,
"skipped": 0
},
"hits": {
"hits": [],
"total": 2,
"max_score": null
},
"took": 686,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"
"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-120m",
"lte": "now"
}
}
},
{
"terms": {
"event.code": [
"4728",
"4729"
]
}
}
]
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 2
}
}
},
"actions": [
{
"id": "email_admin",
"type": "email",
"status": "failure",
"error": {
"root_cause": [
{
"type": "exception",
"reason": "foreach object [ctx.payload.hits.hits] was an empty list, could not run any action"
}
],
"type": "exception",
"reason": "foreach object [ctx.payload.hits.hits] was an empty list, could not run any action"
}
}
]
},
"messages":
}

Could you please use markdown to make your code easier to read, also could you provide full watcher query ?

I'm using it like "foreach": "ctx.payload.hits.hits"

Yes, see below

{
  "trigger": {
"schedule": {
  "interval": "240m"
}
  },
  "input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "xxxx-*"
    ],
    "rest_total_hits_as_int": true,
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "filter": [
            {
              "range": {
                "@timestamp": {
                  "gte": "now-240m",
                  "lte": "now"
                }
              }
            },
            {
              "terms": {
                "event.action.keyword": [
                  "added-group-account-to",
                  "deleted-group-account-from"
                ]
              }
            }
          ]
        }
      }
    }
  }
}
  },
  "condition": {
"compare": {
  "ctx.payload.hits.total": {
    "gt": 0
  }
}
  },
  "actions": {
"email_admin": {
  "throttle_period_in_millis": 50000,
  "foreach" : "ctx.payload.hits.hits",
  "email": {
    "profile": "standard",
    "to": [
      "xxxxxxxx"
    ],
    "subject": "Warning: User Added to Security Enabled Group",
    "body": {
      "text": "The user {{ctx.payload._source.user.name}} was added to a security enabled group !"
    }
  }
}
  }
}

The result of this watcher execution

    "ctx.payload.hits.total": 2
    foreach object [ctx.payload.hits.hits]  was an empty list, could not run any action

I setted the body to "0", this was the problem.
Thanks

1 Like

Including "ctx.payload._source.user.name" in the mail body was causing an error ?

because you can iterate over with ctx.payload.hits.hits.0._source.user.name with a transform action

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.