Watcher webhook to create a OTRS ticket

M_S · January 24, 2023, 3:24pm

I can curl and make an OTRS ticket by using the following :

curl "http://myotrs.com/otrs/nph-genericinterface.pl/Webservice/GenericTicketConnectorREST/Ticket?UserLogin=username&Password=password"
-H "Content-Type: application/json"
-d '{
"Ticket" : {
"Queue" : "Engineering Team",
"Priority" : "P3",
"CustomerUser" : "root@localhost",
"Title" : "REST Create Test",
"State" : "new",
"Type" : "Incident"
},
"Article" : {
"ContentType" : "text/plain; charset=utf8",
"Subject" : "Rest Create Test",
"Body" : "This is only a test"
}
}'

I want to implement the same using a watcher webhook. I stumbled upon - Curl to watcher webhook

Can you give some more info about the same?

richcollier · January 24, 2023, 4:39pm

Yes, you'll want to use the webhook action in Watcher:

M_S · January 24, 2023, 8:57pm

Hi, moving onto watchers, now I have been trying this configuration (I want to look for the keyword "error" in my indices and if found, generate an OTRS ticket):

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
          "query": {
            "match_all": "Error"
          }
        },
        "indices": [
          "*"
        ]
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions" : {
  "create_otrs" : {
    "transform": {
      "script": """{"Ticket":{"Queue":"EngineeringTeam","Priority":"P3","CustomerUser":"root@localhost","Title":"RESTCreateTest","State":"new","Type":"Incident"},"Article":{"ContentType":"text/plain;charset=utf8","Subject":"RestCreateTest","Body":"Thisisonlyatest"}}"""
    },
    "webhook" : {
      "method" : "POST",
      "host" : "http://myotrs.com/otrs/nph-genericinterface.pl/Webservice/GenericTicketConnectorREST/Ticket?UserLogin=<user>&Password=<pass>",
      "port": 9200,
      "body": "{{#toJson}}ctx.payload{{/toJson}}",
      "auth" : {
        "basic" : {
          "username" : "elastic", 
          "password" : "<elasticsearch pass>"
        }
      }
    }
  }
}
}

This gives me compile error. What am I missing here?

richcollier · January 25, 2023, 3:04pm

Oof...so many problems with this.

The script section in transform is executable code, so you need to return the context to the next section (in your case the webhook section).
Also, notice in that example, the usage of single quotes, not double quotes and square brackets [] instead of curly braces {}
Your search syntax doesn't take time into account. If you want your watch to run every minute, then you should only be looking at the last minute's worth of data. Otherwise, you will always match (or as long as any error exists in your logs for however long you keep them).
Do you really want to look over ALL indices ("*")? This seems like a bad idea. Specify your index name or index pattern of the indices you really want to query.
The username/password in the auth is for the system the webhook is authenticating to (so in your case the ticketing system, not to authenticate with elasticsearch)
Test your watch using Watcher's _exectute endpoint first. Then PUT the watch.
See example below that will get you close to where you need to be. I just posted to an internet webserver that does nothing, only so I can see the format of what is being sent.

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1m"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "kibana_sample_data_logs"
            ],
            "body": {
              "query": {
                "bool": {
                  "must": [
                    {
                      "query_string": {
                        "query": "error"
                      }
                    },
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-1m"
                        }
                      }
                    }
                    ]
                }
              }
            }
        }
      }
    },
    "condition": {
      "compare": {
        "ctx.payload.hits.total": {
          "gte": 1
        }
      }
    },
    "actions" : {
      "create_otrs" : {
        "transform": {
          "script": """return ['Ticket':['Queue':'EngineeringTeam','Priority':'P3','CustomerUser':'root@localhost','Title':'RESTCreateTest','State':'new','Type':'Incident'],'Article':['ContentType':'text/plain;charset=utf8','Subject':'RestCreateTest','Body':'Thisisonlyatest']]"""
        },
        "webhook" : {
          "method" : "POST",
          "host" : "echo.zuplo.io",
          "scheme" : "https",
          "port": 443,
          "body": "{{#toJson}}ctx.payload{{/toJson}}",
          "auth" : {
            "basic" : {
              "username" : "myusername", 
              "password" : "mypassword"
            }
          }
        }
      }
    }
  }
}

M_S · January 25, 2023, 3:24pm

Thanks a lot ..yes there were so many errors. This was first time making something like this. Anyways, can we remove the basic auth part, since for me it goes in the url itself?

richcollier · January 25, 2023, 4:27pm

Yes if your curl request works with it being in the URL's query string

system · February 22, 2023, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.