Watcher Timestamp showing in EPOCH

arunhk3 · September 1, 2021, 4:07pm

Hi All,

I was creating a watch in watcher which looks as below

{
  "trigger" : {
    "schedule" : {
      "interval" : "3h"
    }
  }
},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "test_index*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "creationDate": {
                      "gte": "now-180m"
                    }
                  }
                }
              ],
              "must": [
                {
                  "term": {
                    "responseCode": "400"
                  }
                }
              ],
              "should": [
                {
                  "match_phrase": {
                    "apiName": "TEST_API"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "send_email": {
	    "email": {
        "profile": "standard",
        "from": "Alerts@xxxxxxxx.com",
        "to": [
          "recepient1@xxxxxxxx.com",
		  "recepeint2@xxxxxxxx.com"
        ],
        "subject": "ALERT: Alert for {{ctx.payload.hits.hits.0._source.apiName}} (Error: 400)",
        "body": {
          "html": "Total Failure In The Last 3 hours: <strong>{{ctx.payload.hits.total}}</strong> <br><br><strong><u>Quick Snapshot of failures</u></strong><br><br> <table><tr> <th>API_Name</th> <th>Transaction_Status</th>        <th>Response_Code</th>             <th>Creation_Date</th></tr> {{#ctx.payload.hits.hits}}<tr><td>{{_source.apiName}}</td><td>{{_source.status}}</td><td>{{_source.responseCode}}</td><td>{{_source.creationDate}}</td></tr>{{/ctx.payload.hits.hits}}</table><br>"
        }
      }
    }
  }
}

The email when fired captures the timestamp field as _source.creationDate and it returns it as 1630066569744.

But I need the result to be shown in MM/DD/YYYY HH:MM:SS in the timezone America/Alabama.

I am new to this and upon my research I came to know that I need to use script transform for it. So please guide me in the right direction as it would help me to a greater extent!

spinscale · September 2, 2021, 8:25am

Hey,

so if the original JSON value is a epoch date, you can use a transform to convert that date. This is from the top of my head and might need some refinement but shows the basic idea:

Instant.ofEpochMilli(1636314242323L).atZone(ZoneId.of("America/Chicago")).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)

arunhk3 · September 2, 2021, 5:05pm

Thanks for the reply!

But does it have to be used in a Script Transform? I am quite new to scripting and stuff, so do we have any samples to look at so that I could use it as a reference?

spinscale · September 3, 2021, 2:51pm

This repo might help: https://github.com/elastic/examples/tree/master/Alerting

system · October 1, 2021, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.