Watcher trigger playload

Karrie_Koo · November 7, 2019, 7:54am

If I want to change the category watcher.logging.bppm.(Minor), based on different log Meassage ID, how can I do?

"actions": {
"log_error": {
"logging": {
"category": "watcher.logging.bppm.Minor",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx.payload.hits.hits}}[MINOR] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}

It means when ctx.results[0]._source.msgId == BEA-310003, then the category becomes watcher.logging.bppm.Critical.

Many thanks if you can help

spinscale · November 7, 2019, 8:58am

the category is a static text at the moment and thus can only be set when the watch is created.

However, a potential workaround could be the use of conditional actions, where you have two logger actions with different categories and only based on the condition one of those actions is called.

See https://www.elastic.co/guide/en/elasticsearch/reference/7.4/action-conditions.html on how to add conditions to actions.

Karrie_Koo · November 7, 2019, 9:25am

{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"eap_wls_server*",
":eap_wls_server"
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
},
{
"simple_query_string": {
"query": "(OutOfMemoryError) | (000112) | (310006) | (090078) | (040028) | (040507) | (281016) | (280061)",
"fields": [
"logMessage",
"msgId"
]
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": { "script": {
"source": "def Serverity = ['Critical', 'Major', 'Minor']; if (BEA-310003) {Severity = Critical;} else if (BEA-000112) { Serverity = Major;} else if (BEA-310006) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-090078) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-040028) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-040507) {Serverity = Major;} else if (ctx.results[0]._source.msgId == BEA-281016) {Severity = Critical;} else if (ctx.results[0]._source.msgId == BEA-280061) {Severity = Critical;}}",
"lang": "painless"
},
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log_error": {
"transform": {
"script": {
"source": "return [ctx.playload.Severity]",
"lang": "painless"
}
},
"logging": {
"category": "watcher.logging.bppm.{{ctx.playload.Severity}}",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx.payload.hits.hits}}[ctx.playload.Severity {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Karrie KOO kks629@ha.org.hk'"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}} [No. of Matched Pattern: {{ctx.payload.hits.total}}]",
"body": {
"html": "

{{#ctx.payload.hits.hits}} Host: {{_source.hostname}}

Date: {{_source.wlstimestamp}}

Domain: {{_source.wlsdomain}}

Managed Server: {{_source.wlsname}}

Monitoring Pattern: {{_source.msgId}}

Log Message: {{_source.logMessage}}

"
}
}
}
}
}

Karrie_Koo · November 7, 2019, 9:26am

Thanks so much

This is my script and it results with an internal error.
How can I fix it/_\

spinscale · November 7, 2019, 9:30am

as I wrote in my previous reply, you cannot use mustache in the logger category, and this is why you need to use a conditional action.

Karrie_Koo · November 8, 2019, 1:52am

      "transform" : {
      "script" : {
        "source" : "def vars = ctx.vars ; ctx.vars.severity = ['Critical', 'Major', 'Minor'];if (BEA-310003) {ctx.vars.severity = Critical}",
      "lang": "painless"
      }
    },

"actions": {
"log_error": {
"logging": {
"category": "watcher.logging.bppm.{{ctx.vars.Severity}}",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx.payload.hits.hits}}[MINOR] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},

I have tried use conditional action, but it is still not working

spinscale · November 8, 2019, 9:00am

I do not see a condition in your last code sample, please always provide the full watch. Thanks!

Karrie_Koo · November 8, 2019, 9:12am

{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"eap_wls_server*",
":eap_wls_server"
],
"types": ,
"body": {
"size": 100,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-15m/m",
"lte": "now"
}
}
},
{
"simple_query_string": {
"query": "(OutOfMemoryError) | (000112) | (310006) | (090078) | (040028) | (040507) | (281016) | (280061)",
"fields": [
"logMessage",
"msgId"
]
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"transform" : {
"script" : {
"source" : {
"playload": "Severity: [ 'Critical', 'Major', 'Minor']",
"lang": "painless"
}
}
},
"actions": {
"log_error": {
"condition": {
"script" : "if (BEA-310003) {ctx.playload.Severity = Critical;} else if (BEA-000112) { ctx.playload.Severity = Major;} else if (BEA-310006) {ctx.playload.Severity = Critical;} else if (BEA-090078) {ctx.playload.Severity = Critical;} else if (BEA-040028) {ctx.playload.Severity = Critical;} else if (BEA-040507) {ctx.playload.Severity = Major;} else if (BEA-281016) {ctx.playload.Severity = Critical;} else if (BEA-280061) {ctx.playload.Severity = Critical;}}"
},
"logging": {
"category": "watcher.logging.bppm.NONE",
"level": "info",
"text": "Found {{ctx.payload.hits.total}} stuck thread in the logs (EAP)\n{{#ctx.payload.hits.hits}}[{{ctx.playload.Severity}}] {{_source.wlstimestamp}} {{_source.hostname}} {{_source.wlsdomain}} {{_source.wlsname}} {{_source.msgId}}\n{{/ctx.payload.hits.hits}}"
}
},
"email_alert": {
"email": {
"profile": "standard",
"to": [
"'Karrie KOO kks629@ha.org.hk'"
],
"subject": "{{ctx.payload.hits.hits.0._source.hostname}} {{ctx.payload.hits.hits.0._source.wlstimestamp}} {{ctx.payload.hits.hits.0._source.wlsdomain}} {{ctx.payload.hits.hits.0._source.wlsname}} {{ctx.payload.hits.hits.0._source.msgId}} [No. of Matched Pattern: {{ctx.payload.hits.total}}]",
"body": {
"html": "

{{#ctx.payload.hits.hits}} Host: {{_source.hostname}}

Date: {{_source.wlstimestamp}}

Domain: {{_source.wlsdomain}}

Managed Server: {{_source.wlsname}}

Monitoring Pattern: {{_source.msgId}}

Log Message: {{_source.logMessage}}

"
}
}
}
}
}

spinscale · November 8, 2019, 9:48am

please take the time to properly format your message. This is super hard to read.

A condition in an action needs to return true or false. Setting anything in the payload will not have any effect.

"actions" : {
  "logging_cat_foo" : {
    "condition" : {
     "script" "return ctx.payload.foo == 'foo'"
    }
    "logging" : {
      "category" : "foo",
      "text" : "This is foo"
    }
  },
  "logging_cat_bar" : {
    "condition" : {
     "script" "return ctx.payload.foo != 'foo'"
    }
    "logging" : {
      "category" : "bar",
      "text" : "This is bar"
    }
  }
}

system · December 6, 2019, 9:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.