Watcher @timestamp timezone

toms130 · May 27, 2021, 9:15am

Hi there,

I can't figure how t change timestamp timezone in watcher output I got .

Below is my watcher alert

{
  "trigger": {
    "schedule": {
      "interval": "15m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [],
              "filter": [
                {
                  "query_string": {
                    "query": "*"
                  }
                },
                {
                  "match_phrase": {
                    "metricset.name": "event"
                  }
                },
                {
                  "match_phrase": {
                    "kubernetes.event.involved_object.kind": "Node"
                  }
                },
                {
                  "bool": {
                    "minimum_should_match": 1,
                    "should": [
                      {
                        "match_phrase": {
                          "kubernetes.event.reason": "NodeNotReady"
                        }
                      },
                      {
                        "match_phrase": {
                          "kubernetes.event.reason": "NodeReady"
                        }
                      }
                    ]
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "{{ctx.trigger.scheduled_time}}||-15m",
                      "lte": "{{ctx.trigger.scheduled_time}}",
                      "format": "strict_date_optional_time"
                    }
                  }
                }
              ],
              "should": [],
              "must_not": []
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc",
                "unmapped_type": "boolean"
              }
            }
          ],
          "size": 5
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
   "webhook_k8s_prod": {
      "webhook": {
        "scheme": "https",
        "host": "discordapp.com",
        "port": 443,
        "method": "post",
        "path": "api/webhooks/xxxxxx",
        "params": {},
        "headers": {},
        "body": """{ "content": "{{ctx.metadata.name}} alert triggered at {{ctx.payload.calctime}} - There are {{ctx.payload.hits.total}} NodeReady/NotReady log message on last 15 minutes on k8s : \n\n{{#ctx.payload.hits.hits}} {{_source.@timestamp}} : {{_source.kubernetes.event.message}}\n{{/ctx.payload.hits.hits}}"}"""
      }
    }
  },
  "transform": {
    "script": {
      "source": "def payload = ctx.payload; payload.calctime = Instant.ofEpochMilli(ctx.trigger.triggered_time.getMillis()).atZone(ZoneId.of('Europe/Paris')).format(DateTimeFormatter.ofPattern('dd/MM/YYYY HH:mm')); return payload;",
      "lang": "painless"
    }
  }
}

With transform script, I'm able to define payload.calctime, but I can't find the way to do the same with _source.@timestamp fields, which looks like 2021-05-26T16:59:51.246Z ; I would like to have it in Europe/Paris format

Any help would be appreciated
thanks

spinscale · May 31, 2021, 7:19am

keep in mind that the _source.@timestamp field is considered a string and needs to be converted to a date first in order to support date operations. You can try in your transform with DateTimeFormatter.ISO_OFFSET_DATE_TIME and see if that works (haven't tested myself)

--Alex

system · June 28, 2021, 7:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.