Webhook to slack fails to post - Elastic search 1.7

Jag · September 17, 2015, 7:35pm

Hi,

I am evaluating watcher to see if it fits our needs, one of the scenarios is to post to our slack channel, I added the below watcher

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch1' -d '{
"trigger" : { "schedule" : { "interval" : "10s" } },
"input" : {
"search" : {
"request" : {
"indices" : [ "logs" ],
"body" : {
"query" : {
"match" : { "message": "ERROR" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_trigger" : {
"throttle_period" : "5m",
"webhook" : {
"method" : "POST",
"host" : "https://hooks.slack.com",
"port" : 443,
"path": "/services/XXXXXXXXXXX}",
"body" : "{Jag Test}",
"headers": {"Content-type": "application/json"}

}
}
}
}'

When it is triggered, I get following message, it appears that http is being prepended, if I remove https, from the host, it says server rejected(as it requires on secure socket I guess), what am I missing?

""log_error_watch1","metadata":null}}}}}},"condition":{"type":"compare","status":"success","met":true,"compare":{"resolved_values":{"ctx.payload.hits.total":6}}},"actions":[{"id":"send_trigger","type":"webhook","status":"failure","reason":"ElasticsearchException[Expected closing bracket for IPv6 address at index 14: http://[https://hooks.slack.com]:443/services/XXXXXXXXXX]; nested: URISyntaxException[Expected closing bracket for IPv6 address at index 14: http://[https://hooks.slack.com]:443/services/XXXXXXXXXXXX];"

uboness · September 17, 2015, 8:37pm

Hi,

the host is wrong... try:

"webhook" : {
  "method" : "POST",
  "scheme" : "https",
  "host" : "hooks.slack.com",
  "port" : 443,
  "path": "/services/XXXXXXXXXXX}",
  "body" : "{Jag Test}",
  "headers": {"Content-type": "application/json"}
}

Or event better, try out watcher-2.0.0-beta2 (released today) and use the slack action (note... you'll need to test it on elasticsearch-2.0.0-beta2)

Jag · September 17, 2015, 9:05pm

Thank you! I did as you suggested, I get 200 back from slack but with lot of text and message is not posted not sure what I may be missing now.

Not sure what it means...
ubuntu@logstash-test:/etc/elasticsearch/ls-01$ curl -XGET 'http://localhost:9200/.watch_history*/_search?pretty' -d '{
"query" : {
"bool" : {
"must" : [
{ "match" : { "result.condition.met" : true }},
{ "range" : { "result.execution_time" : { "from" : "now-10s"}}}
]
}
}
}'
{
"took" : 3,
"timed_out" : false,
"_shards" : {
"total" : 3,
"successful" : 3,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.9659292,
"hits" : [ {
"_index" : ".watch_history-2015.09.17",
"_type" : "watch_record",
"_id" : "log_error_watch1_16-2015-09-17T20:56:58.783Z",
"_score" : 1.9659292,
"_source":{"watch_id":"log_error_watch1","state":"executed","trigger_event":{"type":"schedule","triggered_time":"2015-09-17T20:56:58.783Z","schedule":{"scheduled_time":"2015-09-17T20:56:58.524Z"}},"input":{"search":{"request":{"search_type":"query_then_fetch","indices":["logs"],"types":[],"body":{"query":{"match":{"message":"ERROR"}}}}}},"condition":{"compare":{"ctx.payload.hits.total":{"gt":0}}},"messages":[],"result":{"execution_time":"2015-09-17T20:56:58.783Z","execution_duration":186,"input":{"type":"search","status":"success","payload":{"hits":{"total":13,"hits":[{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_ct7vwWh3uxJh7n2qh","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_c3sF_Wh3uxJh7n2qk","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_dByDkWh3uxJh7n2qp","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_dFwS8Wh3uxJh7n2qs","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_dFx9vWh3uxJh7n2qt","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_dFyWJWh3uxJh7n2qu","_index":"logs","_score":0.42292467},{"_type":"event","_source":{"message":"ERROR: TEST watcher","status_code":404,"timestamp":"2015-09-15T12:30:07.613Z","request":"GET index.html"},"_id":"AU_R1lqysWWjfXiiebfT","_index":"logs","_score":0.35615897},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_c5_G8Wh3uxJh7n2qm","_index":"logs","_score":0.35615897},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_c8lHzWh3uxJh7n2qo","_index":"logs","_score":0.35615897},{"_type":"event","_source":{"message":"ERROR: test message","status_code":404,"timestamp":"2015-05-17T18:12:07.613Z","request":"GET index.html"},"_id":"AU_cpcqoWh3uxJh7n2qc","_index":"logs","_score":0.2972674}],"max_score":0.42292467},"_shards":{"total":5,"failed":0,"successful":5},"timed_out":false,"took":3},"search":{"request":{"search_type":"query_then_fetch","indices":["logs"],"types":[],"template":{"template":{"query":{"match":{"message":"ERROR"}}},"params":{"ctx":{"id":"log_error_watch1_16-2015-09-17T20:56:58.783Z","vars":{},"trigger":{"triggered_time":"2015-09-17T20:56:58.783Z","scheduled_time":"2015-09-17T20:56:58.524Z"},"execution_time":"2015-09-17T20:56:58.783Z","watch_id":"log_error_watch1","metadata":null}}}}}},"condition":{"type":"compare","status":"success","met":true,"compare":{"resolved_values":{"ctx.payload.hits.total":13}}},"actions":[{"id":"send_trigger","type":"webhook","status":"success","webhook":{"request":{"host":"hooks.slack.com","port":443,"scheme":"https","method":"post","path":"/services/T0AS7AXQC/B0AS7E0P6/vXfgqGIrh6mLt7rrhqaTyBHH}","headers":{"Content-type":"application/json","Content-Type":"application/json; charset=UTF-8"},"body":"{"text":"error test 400 errors count: 13 j"}"},"response":{"status":200,"headers":{"X-Frame-Options":["SAMEORIGIN"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"transfer-encoding":["chunked"],"Vary":["Accept-Encoding"],"Date":["Thu, 17 Sep 2015 20:57:48 GMT"],"X-XSS-Protection":["0"],"Connection

uboness · September 17, 2015, 10:20pm

What do you mean by "...I get 200 back from slack but with lot of text..." ? where do you get a lot of text?

The structure of the slack http request looks good. On the slack side, since you don't specify the channel, the message will go to the default channel that is associated with the incoming webhook URL.. so I understand you don't get the message in that channel? If you don't know the channel, you can always override it in your message by setting up the "channel" field and point it to a room (e.g. #room_name).

Jag · September 18, 2015, 3:36am

Thanks Uri, that is correct, I am expecting in the default channel where it is configured, and I do not. From what read it is not necessary to specify a channel and should post to default channel.

Thanks again

Jag