Xpack watcher : - Get Index name in action's email body

Elastic Stack Elasticsearch
1

Hi,

I want to set a watcher to read last 3 indices name start with "logstash-*" with number of documents per index.Then send a alert to admin user. Indices are created with current data format.For example index name for 9th Jan 2018 is "logstash-2018.01.09".

Here is my current configuration -

PUT _xpack/watcher/watch/my-watch
{
  "trigger": {
    "schedule": {
      "interval": "10000s"
    }
  },
   "input" : {
  "chain" : {
    "inputs" : [ 
      {
        "first" : {
     "search": {
      "request": {
        "indices": [
          "<logstash-{now/d}>"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
              ]
            }
          }
        }
      }
      }
        }
      },
      {
        "second" : {
      "search": {
      "request": {
        "indices": [
          "<logstash-{now/d-1d}>"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
              ]
            }
          }
        }
      }
      }
        }
      },
            {
        "third" : {
     "search": {
      "request": {
        "indices": [
          "<logstash-{now/d-2d}>"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
              ]
            }
          }
        }
      }
      }
        }
      }
    ]
  }
},
  "actions": {
    "send_email": {
      "email": {
        "to": "",
        "subject": "ELK Notifications",
          "body": {
          "html": "<ul><li>Today : - {{ctx.payload.first.hits.total}}</li><li>Yesterday : - {{ctx.payload.second.hits.total}}</li><li>The day before yesterday : - {{ctx.payload.third.hits.total}}</li></ul>"
        }
    }
}
}
}

How can I set index name Today , Yesterday and The day before yesterday in action's email body.

I tried to set "<logstash-{now/d}>" email body , but it did not worked.

2

Hey,

there is no super simple way to find the index name, as it is not returned as part of the response. However, when there is a search hit, each hit contains the index it was found in.

You can safely remove the query part from your inputs, as it is doing nothing. If you change the size parameter to 1, you can access the first search hit and extract the index name from there.

--Alex

1 Like
3

Thanks ,

One more question {{ctx.payload.fourth.nodes.gdnF8AEHSXWISPlGy1FOCA.fs.total.available_in_bytes}} giving me fs bytes , I wanna it convert to MB before send email to admin.

I did -

  "actions": {
    "send_email": {
      "transform" : {
        "script" : "return ctx.payload.fourth.nodes.gdnF8AEHSXWISPlGy1FOCA.fs.total.available_in_bytes/1024"
      },
      "email": {
        "to": "",
        "subject": "ELK Notifications",
          "body": {
          "html": "<b>ELK Notification Messages {{ctx.payload._value}}</b><br/>Cluster API :- <ul><li>Cluster Name : -{{ctx.payload.five.cluster_name}} </li><li>status :- {{ctx.payload.five.status}}</li></ul>Node API :-<ul><li>Node :-gdnF8AEHSXWISPlGy1FOCA</li><li>CPU Usages : - {{ctx.payload.fourth.nodes.gdnF8AEHSXWISPlGy1FOCA.os.cpu.percent}} %</li><li>Heap Memory :-  {{ctx.payload.fourth.nodes.gdnF8AEHSXWISPlGy1FOCA.jvm.mem.heap_used_percent}} %</li><li>Fs available(In bytes) :- {{ctx.payload.fourth.nodes.gdnF8AEHSXWISPlGy1FOCA.fs.total.available_in_bytes}}</li></ul>Documents Processed :- <ul><li>Today : - {{ctx.payload.first.hits.total}}</li><li>Yesterday : - {{ctx.payload.second.hits.total}}</li><li>The day before yesterday : - {{ctx.payload.third.hits.total}}</li></ul>"
        }
    }
}
}

Now I'm only getting {{ctx.payload._value}} not other values(all other values now coming blank) , How can I access other values also.

4

Hey,

this does not look like a search request, but rather like a nodes stats request. If so you can just append the human=true parameter, and you will get units in MB as well.

Regarding the transform. Whatever you return will replace the existing payload, so you need to include that one as well.

def payload = ctx.payload ; payload.foo = ctx.payload.nodes.../1024 ; return payload

--Alex

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.