vee
April 27, 2023, 4:22pm
1
Hi, trying to create a watcher to just print all hits on the message field which matches a particular string. All I was able to get to is print individual hits by using this pattern in the actions to send email:
Message 0 - {{ctx.payload.hits.hits.0._source.message}}
Message 1 - {{ctx.payload.hits.hits.1._source.message}}
Message 2 - {{ctx.payload.hits.hits.2._source.message}}
Message 3 - {{ctx.payload.hits.hits.3._source.message}}
But how do I do this for every single hit instead of manually adding the specific document. Searched but couldn't find a relevant solution, is using transforms the only way to go fwd for such request?
Thanks!
vee
April 27, 2023, 6:16pm
2
I was thinking if there's way to use wild card pattern, something like:
{{ctx.payload.hits.hits.[*]._source.message}}
Although when tried that didn't work. Here is the watcher definition:
{
"trigger": {
"schedule": {
"cron": "0 0/15 0-20,23 ? * MON-FRI"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"client-logs-*"
],
"rest_total_hits_as_int": true,
"body": {
"from": 0,
"size": 1000,
"_source": {
"includes": [
"@timestamp",
"agent.hostname",
"message"
]
},
"sort": [
{
"correlation-id": {
"order": "asc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [],
"filter": [
{
"multi_match": {
"type": "phrase",
"query": "enabled maintenance mode",
"lenient": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
],
"should": [],
"must_not": []
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 5
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"from": "kibana@company.com",
"to": [
"testuser@company.com"
],
"subject": "Service into Maintenance Mode",
"body": {
"html": """<p>Service into Maintenance Mode <b>{{ctx.payload.hits.total}} error/s</b> in Logs</p> <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.0._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.0._source.message}} <br><br>
<b>Hostname:</b> {{ctx.payload.hits.hits.1._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.1._source.message}} <br><br>
<b>Hostname:</b> {{ctx.payload.hits.hits.2._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.2._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.3._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.3._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.4._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.4._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.5._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.5._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.6._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.6._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.7._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.7._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.8._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.8._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.9._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.9._source.message}} <br>
<b>Hostname:</b> {{ctx.payload.hits.hits.10._source.agent.hostname}}<br>
<b>Error message:</b> {{ctx.payload.hits.hits.10._source.message}} <br>
"""
}
}
}
}
}
system
May 25, 2023, 6:17pm
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.