Karrie_Koo
(Karrie Koo)
November 7, 2019, 7:54am
1
If I want to change the category watcher.logging.bppm.(Minor), based on different log Meassage ID, how can I do?
"actions": {
"log_error": {
"logging": {
"category": "watcher.logging.bppm.Minor",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx .payload.hits.hits}}[MINOR] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
It means when ctx.results[0]._source.msgId == BEA-310003, then the category becomes watcher.logging.bppm.Critical.
Many thanks if you can help
spinscale
(Alexander Reelsen)
November 7, 2019, 8:58am
2
the category is a static text at the moment and thus can only be set when the watch is created.
However, a potential workaround could be the use of conditional actions, where you have two logger actions with different categories and only based on the condition one of those actions is called.
See https://www.elastic.co/guide/en/elasticsearch/reference/7.4/action-conditions.html on how to add conditions to actions.
Karrie_Koo
(Karrie Koo)
November 7, 2019, 9:25am
3
{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"eap_wls_server*",
":eap_wls_server "
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp ": {
"gte": "now-15m/m",
"lte": "now"
}
}
},
{
"simple_query_string": {
"query": "(OutOfMemoryError) | (000112) | (310006) | (090078) | (040028) | (040507) | (281016) | (280061)",
"fields": [
"logMessage",
"msgId"
]
}
}
]
}
},
"sort": [
{
"@timestamp ": {
"order": "desc"
}
}
]
}
}
}
},
"condition": { "script": {
"source": "def Serverity = ['Critical', 'Major', 'Minor']; if (BEA-310003) {Severity = Critical;} else if (BEA-000112) { Serverity = Major;} else if (BEA-310006) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-090078) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-040028) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-040507) {Serverity = Major;} else if (ctx.results[0]._source.msgId == BEA-281016) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-280061) {Severity = Critical;}}",
"lang": "painless"
},
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log_error": {
"transform": {
"script": {
"source": "return [ctx.playload.Severity]",
"lang": "painless"
}
},
"logging": {
"category": "watcher.logging.bppm.{{ctx.playload.Severity}}",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx .payload.hits.hits}}[ctx.playload.Severity {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Karrie KOO kks629@ha.org.hk '"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}} [No. of Matched Pattern: {{ctx.payload.hits.total}}]",
"body": {
"html": "
{{#ctx .payload.hits.hits}} Host : {{_source.hostname}} Date : {{_source.wlstimestamp}} Domain : {{_source.wlsdomain}} Managed Server : {{_source.wlsname}} Monitoring Pattern : {{_source.msgId}} Log Message : {{_source.logMessage}}
{{/ctx.payload.hits.hits}} "
}
}
}
}
}
Karrie_Koo
(Karrie Koo)
November 7, 2019, 9:26am
4
Thanks so much
This is my script and it results with an internal error.
How can I fix it/_\
spinscale
(Alexander Reelsen)
November 7, 2019, 9:30am
5
as I wrote in my previous reply, you cannot use mustache in the logger category, and this is why you need to use a conditional action.
Karrie_Koo
(Karrie Koo)
November 8, 2019, 1:52am
6
"transform" : {
"script" : {
"source" : "def vars = ctx.vars ; ctx.vars.severity = ['Critical', 'Major', 'Minor'];if (BEA-310003) {ctx.vars.severity = Critical}",
"lang": "painless"
}
},
"actions": {
"log_error": {
"logging": {
"category": "watcher.logging.bppm.{{ctx.vars.Severity}}",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx .payload.hits.hits}}[MINOR] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},
I have tried use conditional action, but it is still not working
spinscale
(Alexander Reelsen)
November 8, 2019, 9:00am
7
I do not see a condition in your last code sample, please always provide the full watch. Thanks!
Karrie_Koo
(Karrie Koo)
November 8, 2019, 9:12am
8
{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"eap_wls_server*",
":eap_wls_server "
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp ": {
"gte": "now-15m/m",
"lte": "now"
}
}
},
{
"simple_query_string": {
"query": "(OutOfMemoryError) | (000112) | (310006) | (090078) | (040028) | (040507) | (281016) | (280061)",
"fields": [
"logMessage",
"msgId"
]
}
}
]
}
},
"sort": [
{
"@timestamp ": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"transform" : {
"script" : {
"source" : {
"playload": "Severity: [ 'Critical', 'Major', 'Minor']",
"lang": "painless"
}
}
},
"actions": {
"log_error": {
"condition": {
"script" : "if (BEA-310003) {ctx.playload.Severity = Critical;} else if (BEA-000112) { ctx.playload.Severity = Major;} else if (BEA-310006) {ctx.playload.Severity = Critical;} else if (BEA-090078) {ctx.playload.Severity = Critical;} else if (BEA-040028) {ctx.playload.Severity = Critical;} else if (BEA-040507) {ctx.playload.Severity = Major;} else if (BEA-281016) {ctx.playload.Severity = Critical;} else if (BEA-280061) {ctx.playload.Severity = Critical;}}"
},
"logging": {
"category": "watcher.logging.bppm.NONE",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx .payload.hits.hits}}[{{ctx.playload.Severity}}] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Karrie KOO kks629@ha.org.hk '"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}} [No. of Matched Pattern: {{ctx.payload.hits.total}}]",
"body": {
"html": "
{{#ctx .payload.hits.hits}} Host : {{_source.hostname}} Date : {{_source.wlstimestamp}} Domain : {{_source.wlsdomain}} Managed Server : {{_source.wlsname}} Monitoring Pattern : {{_source.msgId}} Log Message : {{_source.logMessage}}
{{/ctx.payload.hits.hits}} "
}
}
}
}
}
spinscale
(Alexander Reelsen)
November 8, 2019, 9:48am
9
please take the time to properly format your message. This is super hard to read.
A condition in an action needs to return true or false. Setting anything in the payload will not have any effect.
"actions" : {
"logging_cat_foo" : {
"condition" : {
"script" "return ctx.payload.foo == 'foo'"
}
"logging" : {
"category" : "foo",
"text" : "This is foo"
}
},
"logging_cat_bar" : {
"condition" : {
"script" "return ctx.payload.foo != 'foo'"
}
"logging" : {
"category" : "bar",
"text" : "This is bar"
}
}
}
system
(system)
Closed
December 6, 2019, 9:48am
10
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.