Watcher with JSON objects

Elastic Stack Elasticsearch
1

I have a watcher alert i to alert on HTTP status 422 or 500. i populate request body and response body in my API upon failures and that gets ingested in my index. (basically life of entire api transaction) so watcher is triggering correctly and sends alert but email doesnt have value of req body and res body . but in email attachment of json it has all the values. I m using correct values. Only thing is req body and res body is json . So do i need to do any translation ?

my email looks like this.

Request : https://myhost.com/myapi/api
Status : **422 Error**
Endpoint_url :N/A
Total_Errors: 1
RequestBody:
ResponseBody:
TimeStamp: 2020-03-05T13:38:34.883Z|

in attached document my response body looks like this

"response_body":"{ "error":{ "id":"2" , "customer" : "mycust"}}"

and in my watcher i m using {{ctx.payload.hits.response_body}}.

Am i trying something wrong ?

Let me know

Thanks

Raj

2

can you share the output of the watcher history or the Execute Watch API (it's easier, when the condition is triggered, so maybe the watch history indices are good to use(

3

here is the output.

Please remember i have sanitized my email and server name. also for testing i have created test index and sending you output from it.

{
"watch_id": "test",
"node": "L29Yn4oVTH2y5vUj8iXuLQ",
"state": "executed",
"user": "elastic",
"status": {
"state": {
"active": true,
"timestamp": "2020-03-12T15:30:17.799Z"
},
"last_checked": "2020-03-12T15:30:30.118Z",
"last_met_condition": "2020-03-12T15:30:30.118Z",
"actions": {
"email_administrator": {
"ack": {
"timestamp": "2020-03-12T15:30:30.118Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2020-03-12T15:30:30.118Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2020-03-12T15:30:30.118Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "schedule",
"triggered_time": "2020-03-12T15:30:30.118Z",
"schedule": {
"scheduled_time": "2020-03-12T15:30:30.012Z"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"test*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"status_code": "422"
}
},
{
"match": {
"response_http_headers.hostname": ""myhost.com""
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"metadata": {
"color": "red",
"name": "test",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2020-03-12T15:30:30.118Z",
"execution_duration": 389,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": ,
"total": 1,
"max_score": null
},
"took": 1,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"test*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"status_code": "422"
}
},
{
"match": {
"response_http_headers.hostname": ""myhost.com""
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 1
}
}
},
"transform": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "test",
"_type": "_doc",
"_source": {
"status_code": "422",
"@timestamp": "2020-03-05T19:17:33.962Z",
"request_body": "{ "id":"2" , "customer" : "mycust" , "address" : "blah blah" , "zipcode" : "10000"}",
"response_body": "{ "error":{ "id":"2" , "customer" : "mycust"}}",
"response_http_headers": [
{
"Content-Type": "application/json"
},
{
"Date": "Thu, 05 Mar 2020 19:17:35 GMT"
},
{
"Content-Length": "459"
},
{
"Via": "1.1 AgAAANE7P4c-"
},
{
"hostname": "myhost.com"
},
{
"msgid": "414d51205343535131202020202020205e56fb652147c3b6"
},
{
"Access-Control-Allow-Origin": ""
},
{
"Access-Control-Allow-Methods": "POST"
},
{
"X-RateLimit-Limit": "name=default,10000;"
},
{
"X-RateLimit-Remaining": "name=default,9996;"
}
],
"bytes_sent": "16"
},
"_id": "mSRSz3ABcKlnb-_3eSxJ",
"_score": 0.5753642
}
],
"total": 1,
"max_score": 0.5753642
},
"took": 0,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"test"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"status_code": "422"
}
},
{
"match": {
"response_http_headers.hostname": ""myhost.com""
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"actions": [
{
"id": "email_administrator",
"type": "email",
"status": "success",
"email": {
"account": "",
"message": {
"id": "email_administrator_test_44f7546f-9efa-4c19-9a6c-c57bbf2cc078-2020-03-12T15:30:30.118529Z",
"from": "",
"priority": "high",
"sent_date": "2020-03-12T15:30:30.150986Z",
"to": [
"*********"
],
"subject": "https:// is down with HTTP Status Error 422.",
"body": {
"html": " <table style="margin-left:auto;margin-right:auto;background:#ffffff;border:5px solid #eee" border="0" cellpadding="0"><td style="padding:40px"> <table style="width:812px;height:348px">Status:422Total_Errors:1RequestBody:ResponseBody:TimeStamp:2020-03-05T19:17:33.962Z

Please do not reply to this message.

Thank you,

"
}
}
}
}
]
},
"messages":
}

this is my html body code

"body": {
"html": "

Status:{{ctx.payload.hits.hits.0._source.status_code}}
Total_Errors:{{ctx.payload.hits.total}}
RequestBody:{{ctx.payload.hits.request_body}}
ResponseBody:{{ctx.payload.hits.response_body}}
TimeStamp:{{ctx.payload.hits.hits.0._source.@timestamp}}

Please do not reply to this message.

Thank you,

"
}

Please let me know if you need more information from me.

Thanks

4

well i figured it out lol sometime extra pair eyes and readign again fixes my issues :slight_smile:

it should be **ctx.payload.hits.hits.0._source.request_body **

thanks a lot for this help.

Raj

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.