X-pack Watcher Slack JSON code

alerting

(Mike) #1

Hello ,
I've created a notify script in JSON for Watcher with Slack Integration . I created webhook that i added at minimal in elasticsearch.yml

Bellow is the script :

{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winevents"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": {
"match": {
"event_id": "4,647"
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"notify-slack": {
"slack" : {
"message" : {
"text" : "Test"
}
}
}
}
}

When i try to save it i receive the following error . Any ideas ?
Watcher: [remote_transport_exception] [test-sec-n2][10.100.111.101:9300][cluster:admin/xpack/watcher/watch/put]


(Alexander Reelsen) #2

Can you provide a full exception including stack trace and error message? Please copy and paste the full output of the curl call.

Also provide the Elasticsearch version you are using and all xpack specific configurations in the elasticsearch.yml file.

Thanks!


(Mike) #3

discovery.zen.ping.unicast.hosts: ["elk-test-sec-prod.test.local"]
gateway.recover_after_nodes: 2
xpack.security.enabled: true
xpack.security.authc.realms:
elastic:
type: native
order: 1
test1:
type: ldap
order: 0
url: "ldaps://ldap-1.test.us:636"
bind_dn: "uid=elkbind,ou=TT2,dc=test,dc=us"
bind_password: latreaba#
user_search.base_dn: "ou=TT2,dc=test,dc=us"
group_search.base_dn: "cn=TT1,ou=Groups,dc=test,dc=us"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
cache.ttl: 10m
test2:
type: active_directory
order: 2
domain_name: test.local
url: ldaps://colo-dc1.test.local:636, ldaps://colo-dc2.test.local:636
load_balance:
type: "failover"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
user_search.base_dn: "OU=test,OU=test,DC=test,DC=Local"
group_search.base_dn: "ou=groups,ou=test,dc=test,dc=local"
ssl:
verification_mode: none
cache.ttl: 10m
xpack.watcher.enabled : true

xpack.notification.slack:
account:
monitoring:
url: https://hooks.slack.com/services/REMOVED


(Mike) #4

how can i get the stack trace and error message ? The error message is :
Watcher: [remote_transport_exception] [test-sec-n2][10.100.111.101:9300][cluster:admin/xpack/watcher/watch/put]

This in the browser...
in elatic.log i don't have any error . Where shall i look for it ?
Thx


(Alexander Reelsen) #5

Please take your time and add proper formatting to your posts, this makes it hard to read (and on top of that indentation is important!).

Also, please tell us which elasticsearch version this is.

The above remote transport exception is not returned to the browser or an HTTP client. You would get back a formatted JSON response, and that is what I am also interested in.

Thanks.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.