Watcher query

Dear Team,

After searching for the monitor.status: down we wanted to add an extra output to slack to know for which host we have received it. Is that possible?

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "types": [],
        "body": {
          "size": 5,
          "query": {
            "match": {
              "monitor.status": "down"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 5
      }
    }
  },
  "actions": {
    "notify-slack": {
      "slack": {
        "account": "monitor",
        "message": {
          "from": "watcher",
          "to": [
            "elk"
          ],
          "text": "Core-Service Down:",
          "attachments": [
            {
              "color": "danger",
              "title": "Core-Service Down for customer:",
              "text": ""
            }
          ]
        }
      }
    }
  }
}

slack.png8855×700 593 KB

Hey @yasin,

The docs for slack actions give examples on how to inject data from your watcher input into the action itself. Check the bottom of this page: https://www.elastic.co/guide/en/elastic-stack-overview/7.1/actions-slack.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.