Watcher weird error : cannot access method/field [period] from a null def reference

Elastic Stack Elasticsearch
,
1

截圖 2023-03-29 上午11.22.11
截圖 2023-03-29 上午11.22.11885×446 55.6 KB

My watcher is working normally around 3 years until yesterday, suddenly can't fetch the right number of our doc.count.
but weird thing is I think the code should be work, like I paste below

int past_4_hours_conversion_count = ctx.payload.aggregations.period.buckets.past_4_hours_conversion.doc_count; 

int one_day_ago_4_hours_conversion_count = ctx.payload.aggregations.period.buckets.one_day_ago_4_hours_conversion.doc_count;

If one of above is work, they should be all work right?
the screenshot shows the one_day_ago_4_hours_conversion_count is working
but the past_4_hours_conversion_count show 0 instead.

截圖 2023-03-29 上午11.26.06

Here is my watcher setting. you can ignore the actions type error because I delete some content.

{
  "trigger": {
    "schedule": {
      "interval": "1h"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "filebeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "bool": {
                    "minimum_should_match": 1,
                    "should": [
                      {
                        "query_string": {
                          "fields": [
                            "message"
                          ],
                          "query": "*purchase_notification*"
                        }
                      }
                    ]
                  }
                }
              ],
              "must": [
                {
                  "match_phrase": {
                    "event.module": {
                      "query": "haproxy"
                    }
                  }
                },
                {
                  "match_phrase": {
                    "fields.env": {
                      "query": "lt_production"
                    }
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-28h",
                      "lte": "now",
                      "format": "epoch_millis"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "period": {
              "date_range": {
                "ranges": [
                  {
                    "to": "now",
                    "from": "now-4h",
                    "key": "past_4_hours_conversion"
                  },
                  {
                    "to": "now-24h",
                    "from": "now-28h",
                    "key": "one_day_ago_4_hours_conversion"
                  }
                ],
                "field": "@timestamp",
                "keyed": true
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": """def threshold = 3; 
    ctx.payload.errorMessage = "";
    int past_4_hours_conversion_count = ctx.payload.aggregations.period.buckets.past_4_hours_conversion.doc_count; 
    int one_day_ago_4_hours_conversion_count = ctx.payload.aggregations.period.buckets.one_day_ago_4_hours_conversion.doc_count; 
    def variance  = (float)one_day_ago_4_hours_conversion_count/(float)past_4_hours_conversion_count;
    def error = (variance >= threshold);
    if (error) {
      ctx.payload.errorMessage += "The conversion count past 4 hours is smaller than yesterday same period
    please check the overall function. 
   past 4 hour count: " + past_4_hours_conversion_count + " 
   1 day ago same time period 4 hour count: " + one_day_ago_4_hours_conversion_count + " 
   Threshold: " + threshold;
    }
    
    return error;""",
      "lang": "painless"
    }
  },
  "actions": {
    "notify-slack": {
      "throttle_period_in_millis": 150000,
      "slack": {
        "message": {
          "to": [
            "test-hubot"
          ],
          "attachments": [
            {
              "color": "warning",
              "title": "LT Production\n \"{{ctx.payload.errorMessage}}\"",
              "text": "warning>"
            },
            {
              "color": "warning",
              "title": "Confluence Link",
              "text": "ignore it"
            }
          ]
        }
      }
    }
  }
}

And I query from devtools, seems ok when I paste the same aggs to it.
anyidea why cause the error? or any information I need to provide further?

截圖 2023-03-29 上午11.28.09
截圖 2023-03-29 上午11.28.091495×778 122 KB

2

I do not have much experience with painless, but using it in some ingest pipelines process, If I'm not wrong this error normally happens when the referenced field does not exist.

Maybe this is the case?

I think you need to make it null-safe.

Try changing the reference to this

ctx.payload?.aggregations?.period?.buckets?.past_4_hours_conversion?.doc_count
3

still get same result and I run in simulate

"reason": "Cannot invoke "Object.getClass()" because "value" is null",

截圖 2023-03-29 上午11.46.07
截圖 2023-03-29 上午11.46.07838×426 58.6 KB

截圖 2023-03-29 上午11.46.23
截圖 2023-03-29 上午11.46.23589×721 51.8 KB

4

Just one question, are you sure that the field name is correct?

In your aggregation you have past_4_hours_conversion, but in your code you are referencing to past_4_hours.

There is something wrong in the script in your screenshot and the code you shared.

The print screen have:

past_4_hours_conversion_count = ctx.payload?.aggregations?.period?.buckets?.past_4_hours?.doc_count

But this field does not exist in your aggregation, what you have is past_4_hours_conversion.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.