Webhooks for Watcher Actions

christiannwamba · June 14, 2017, 3:24pm

Hi!

I am trying to create a watcher action webhook but I keep getting invalid character in host name error for the following configuration:

"actions" : {
"log_error" : {
  "logging" : {
    "text" : "Found {{ctx.payload.hits.total}} errors in the logs"
  }
},
"send_trigger" : {
    "throttle_period" : "1m",
    "webhook" : {
    "method" : "POST",
    "host" : "immense-badlands-95563.herokuapp.com",
    "scheme" : "https",
    "port" : 443,
    "path": "/hook",
    "body" : `{
        "service_key": "e93facc04764012d7bfb002500d5d1a6",
        "incident_key": "long_watches",
        "event_type": "trigger",
        "description": "{{ctx.payload.hits.total}} watches took more than 2.5 seconds to execute\",
        "client": "Watcher"
    }`,
    "headers": {"Content-type": "application/json"}
    }
}

}

Any idea why I am getting this error? Sorry, I am completely new to ElasticSearch.

Cheers

spinscale · June 15, 2017, 3:32pm

Hey,

can you share the full exception/logline or the watch history entry to get some more context?
Thanks!

--Alex

christiannwamba · June 16, 2017, 8:57am

Hi

It used to be a log like:

[2017-06-14T12:59:31,221][ERROR][org.elasticsearch.xpack.watcher.actions.webhook.ExecutableWebhookAction] failed to execute action [log_error_watch/send_trigger] java.lang.IllegalArgumentException: Invalid characters in hostname at java.net.HostPortrange.toLowerCase(HostPortrange.java:189) ~[?:1.8.0_131] at java.net.HostPortrange.(HostPortrange.java:150) ~[?:1.8.0_131] at java.net.URLPermission$Authority.(URLPermission.java:486) ~[?:1.8.0_131] at java.net.URLPermission.parseURI(URLPermission.java:454) ~[?:1.8.0_131] at java.net.URLPermission.init(URLPermission.java:170) ~[?:1.8.0_131] at java.net.URLPermission.(URLPermission.java:166) ~[?:1.8.0_131] at sun.net.www.protocol.http.HttpURLConnection.URLtoSocketPermission(HttpURLConnection.java:1066) ~[?:?] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1276) ~[?:?] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[?:?] at org.elasticsearch.xpack.common.http.HttpClient.doExecute(HttpClient.java:171) ~[x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.common.http.HttpClient.execute(HttpClient.java:92) ~[x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.watcher.actions.webhook.ExecutableWebhookAction.execute(ExecutableWebhookAction.java:59) ~[x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.watcher.actions.ActionWrapper.execute(ActionWrapper.java:160) [x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:412) [x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:275) [x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.xpack.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:492) [x-pack-5.4.1.jar:5.4.1] at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:569) [elasticsearch-5.4.1.jar:5.4.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

but for some weird reasons, I am no getting the following:

[2017-06-16T08:55:21,220][WARN ][org.elasticsearch.xpack.watcher.actions.webhook.ExecutableWebhookAction] received http status [503] when connecting to watch action [log_error_watch/webhook/send_trigger]

Sorry again, this is my first attempt on ElasticSearch and I am using cloud.elastic.co

====== UPDATE ======

If you're familiar with Node and JS, this is what I am trying to do:

var watcherPayload = {
  "trigger" : { "schedule" : { "interval" : "10s" } },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logs" ],
        "body" : {
          "query" : {
            "match" : { "message": "message" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "log_error" : {
      "logging" : {
        "text" : "Found {{ctx.payload.hits.total}} errors in the logs"
      }
    },
    "send_trigger" : {
        "throttle_period" : "1m",
        "webhook" : {
        "method" : "POST",
        "host" : "immense-badlands-95563.herokuapp.com",
        "scheme" : "https",
        "port" : 443,
        "path": "/hook",
        "body" : `{
            "service_key": "e93facc04764012d7bfb002500d5d1a6",
            "incident_key": "long_watches",
            "event_type": "trigger",
            "description": "{{ctx.payload.hits.total}} watches took more than 2.5 seconds to execute\",
            "client": "Watcher"
        }`,
        "headers": {"Content-type": "application/json"}
        }
    }
  }
}

axios.put(`${elURL}_watcher/watch/log_error_watch`, watcherPayload)
.then(res => {
    console.log(res)
})
.catch(err => console.log(err))

Cheers

spinscale · June 16, 2017, 9:27am

Hey,

you hit a pretty weird exception

can you paste the output from these two calls

GET _xpack/watcher/log_error_watch
POST _xpack/watcher/log_error_watch/_execute

in addition your body definition looks weird. I assume this is javascript doing some multi line magic?

--Alex

christiannwamba · June 16, 2017, 9:30am

Haha! It's actually working now.

I am just wondering if I could get notifications only when an index is added. Right now I just know about ctx.payload.hits.total

Hope it's not out of scope

Cheers

spinscale · June 16, 2017, 9:36am

Hey,

what did you change to make it work?

I do not understand your question. You are querying a single index, so where is the link to an index being added here?

--Alex

christiannwamba · June 16, 2017, 9:41am

That's the weird thing. I just had to run the watcher again. I did not even change a single thing in the JSON payload.

I am looking for a way to get notified only when an index is created rather than getting the total number of indices available. I am guessing I need to do some work with the query and condition but don't know exactly what to feed in.

Thanks a lot

spinscale · June 16, 2017, 9:53am

Hey,

so you are talking about documents and not about indices if I got you right? You want to get notified, when the number of documents inside of a certain timeframe change, ie count all the documents with the log level ERROR in the last 5 minutes?

If so, you need to change the query to something that reflects the above, i.e. add a range query for timestamp and filter for log level.

This requires you to take a look at the Elasticsearch Query DSL.

--Alex

system · July 14, 2017, 9:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.