X-pack Watcher Slack JSON code

ninja · August 9, 2017, 11:40am

Hello ,
I've created a notify script in JSON for Watcher with Slack Integration . I created webhook that i added at minimal in elasticsearch.yml

Bellow is the script :

{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winevents"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"match": {
"event_id": "4,647"
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"notify-slack": {
"slack" : {
"message" : {
"text" : "Test"
}
}
}
}
}

When i try to save it i receive the following error . Any ideas ?
Watcher: [remote_transport_exception] [test-sec-n2][10.100.111.101:9300][cluster:admin/xpack/watcher/watch/put]

spinscale · August 11, 2017, 7:04am

Can you provide a full exception including stack trace and error message? Please copy and paste the full output of the curl call.

Also provide the Elasticsearch version you are using and all xpack specific configurations in the elasticsearch.yml file.

Thanks!

ninja · August 11, 2017, 11:45am

discovery.zen.ping.unicast.hosts: ["elk-test-sec-prod.test.local"]
gateway.recover_after_nodes: 2
xpack.security.enabled: true
xpack.security.authc.realms:
elastic:
type: native
order: 1
test1:
type: ldap
order: 0
url: "ldaps://ldap-1.test.us:636"
bind_dn: "uid=elkbind,ou=TT2,dc=test,dc=us"
bind_password: latreaba#
user_search.base_dn: "ou=TT2,dc=test,dc=us"
group_search.base_dn: "cn=TT1,ou=Groups,dc=test,dc=us"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
cache.ttl: 10m
test2:
type: active_directory
order: 2
domain_name: test.local
url: ldaps://colo-dc1.test.local:636, ldaps://colo-dc2.test.local:636
load_balance:
type: "failover"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
user_search.base_dn: "OU=test,OU=test,DC=test,DC=Local"
group_search.base_dn: "ou=groups,ou=test,dc=test,dc=local"
ssl:
verification_mode: none
cache.ttl: 10m
xpack.watcher.enabled : true

xpack.notification.slack:
account:
monitoring:
url: https://hooks.slack.com/services/REMOVED

ninja · August 11, 2017, 11:48am

how can i get the stack trace and error message ? The error message is :
Watcher: [remote_transport_exception] [test-sec-n2][10.100.111.101:9300][cluster:admin/xpack/watcher/watch/put]

This in the browser...
in elatic.log i don't have any error . Where shall i look for it ?
Thx

spinscale · August 11, 2017, 12:25pm

Please take your time and add proper formatting to your posts, this makes it hard to read (and on top of that indentation is important!).

Also, please tell us which elasticsearch version this is.

The above remote transport exception is not returned to the browser or an HTTP client. You would get back a formatted JSON response, and that is what I am also interested in.

Thanks.

system · September 8, 2017, 12:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.