Watcher status Failure

I happened to install ELK 7.2 for testing purposes.
We came across the alert system (Watchers) but unfortunately we cant make it work.
Log file is in txt file (json format):
// [{"date":"19-07-2019 04:33:46pm","error":"Error","error_description":"Description"},{"date":"19-07-2019 04:49:43pm","error":"Error","error_description":"Description"},{"date":"21-07-2019 06:19:55pm","error":"Error","error_description":"Description"}]

We use slack to print out the messages with
//"body": "{{ctx.payload.hits.hits.0._source.message}}",

This gives us this response
//"id" : "send_trigger",
"type" : "webhook",
"status" : "failure",
"reason" : "received [400] status code",
"body" : """date":"21-07-2019 07:33:16pm","error":"Error","error_description":"Description"},{"date":"21-07-2019 08:31:49pm","error":"Error","error_description":"Description"}]{"date":"22-07-2019 09:15:30am","error":"Error","error_description":"Description"}]ion"}]"""
},

This is the whole code and response we are getting.
Any help, would be much appreciated.

https://pastebin.com/rWvjgmKf

It looks to me as if you do not properly format the message that you want to sent to slack. The message field of the first search result is

date":"21-07-2019 07:33:16pm","error":"Error","error_description":"Description"},{"date":"21-07-2019 08:31:49pm","error":"Error","error_description":"Description"}]{"date":"22-07-2019 09:15:30am","error":"Error","error_description":"Description"}]ion"}]

and this is send exactly as is to slack. This is not valid JSON and thus you are getting an error.

You can either construct the JSON yourself, or you are going to use the slack action instead.

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.