Watcher Timestamp showing in EPOCH

arunhk3 · September 1, 2021, 4:07pm

Hi All,

I was creating a watch in watcher which looks as below

{
  "trigger" : {
    "schedule" : {
      "interval" : "3h"
    }
  }
},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "test_index*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "creationDate": {
                      "gte": "now-180m"
                    }
                  }
                }
              ],
              "must": [
                {
                  "term": {
                    "responseCode": "400"
                  }
                }
              ],
              "should": [
                {
                  "match_phrase": {
                    "apiName": "TEST_API"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "send_email": {
	    "email": {
        "profile": "standard",
        "from": "Alerts@xxxxxxxx.com",
        "to": [
          "recepient1@xxxxxxxx.com",
		  "recepeint2@xxxxxxxx.com"
        ],
        "subject": "ALERT: Alert for {{ctx.payload.hits.hits.0._source.apiName}} (Error: 400)",
        "body": {
          "html": "Total Failure In The Last 3 hours: <strong>{{ctx.payload.hits.total}}</strong> <br><br><strong><u>Quick Snapshot of failures</u></strong><br><br> <table><tr> <th>API_Name</th> <th>Transaction_Status</th>        <th>Response_Code</th>             <th>Creation_Date</th></tr> {{#ctx.payload.hits.hits}}<tr><td>{{_source.apiName}}</td><td>{{_source.status}}</td><td>{{_source.responseCode}}</td><td>{{_source.creationDate}}</td></tr>{{/ctx.payload.hits.hits}}</table><br>"
        }
      }
    }
  }
}

The email when fired captures the timestamp field as _source.creationDate and it returns it as 1630066569744.

But I need the result to be shown in MM/DD/YYYY HH:MM:SS in the timezone America/Alabama.

I am new to this and upon my research I came to know that I need to use script transform for it. So please guide me in the right direction as it would help me to a greater extent!

spinscale · September 2, 2021, 8:25am

Hey,

so if the original JSON value is a epoch date, you can use a transform to convert that date. This is from the top of my head and might need some refinement but shows the basic idea:

Instant.ofEpochMilli(1636314242323L).atZone(ZoneId.of("America/Chicago")).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)

arunhk3 · September 2, 2021, 5:05pm

Thanks for the reply!

But does it have to be used in a Script Transform? I am quite new to scripting and stuff, so do we have any samples to look at so that I could use it as a reference?

spinscale · September 3, 2021, 2:51pm

This repo might help: https://github.com/elastic/examples/tree/master/Alerting

system · October 1, 2021, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher search for feild value in last 1mins Elasticsearch elastic-stack-alerting	2	1039	July 6, 2017
Elasticsearch watcher syntax Elasticsearch	2	1055	July 26, 2017
Watcher Assistance (ii) Elasticsearch elastic-stack-alerting	3	443	April 2, 2021
New to Watcher and trying to find examples Elasticsearch elastic-stack-alerting	3	503	June 28, 2018
Error creating a watch unexpected token [START_OBJECT]" Elasticsearch elastic-stack-alerting	4	3752	July 6, 2017

Watcher Timestamp showing in EPOCH

Related topics