[英]Use input ElasticSearch document fields in Watcher fields
I have the following watch set up which triggers when it sees Error-level messages. 我有以下监视设置,当它看到错误级别的消息时触发。 It is triggering correctly and my watch history shows this.
它正确触发,我的手表历史显示了这一点。 The idea is that we send a SOAP message to our monitoring software which uses it to format an email to the right person.
我们的想法是,我们向我们的监控软件发送SOAP消息,该软件使用它将电子邮件格式化为合适的人。
The problem is that I assumed I could get the information for the first record in the input using mustache commands like {{ctx.payload.hits.hits.0.fields.Environment}}
but any place where I use it to get the document's fields it is blank instead. 问题是我假设我可以使用像
{{ctx.payload.hits.hits.0.fields.Environment}}
类的胡须命令获取输入中第一条记录的信息,但是我用它来获取文档的任何地方字段是空白而不是。 I can query the payload to get the number of records found as expected though which is the weird part. 我可以查询有效负载以获得按预期找到的记录数,尽管这是奇怪的部分。
My watch is as follows: 我的手表如下:
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"indices": ["<logstash-{now/d{YYYY.MM.dd}}-cat>"],
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"Level": "Error"
}
},
{
"range": {
"@timestamp": {
"gte": "now-60s",
"lt": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"throttle_period": "30m",
"actions": {
"log_error_patrol_webhook": {
"webhook": {
"method": "POST",
"host": "myhost",
"port": 9080,
"path": "/path/",
"headers": {
"Content-Type": "text/xml"
},
"body": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:imap=\"http://blueprint.bmc.com/ImapiElems\" xmlns:bas=\"http://blueprint.bmc.com/BasicTypes\" xmlns:even=\"http://blueprint.bmc.com/Event\"><soapenv:Header/><soapenv:Body><imap:SendEvent><imap:connection>1111111</imap:connection><imap:message><!--Zero or more repetitions:--><bas:NameValue_element><bas:name>msg</bas:name><bas:value><bas:string_value>Environment {{ctx.payload.hits.hits.0.fields.Environment}}. Found {{ctx.payload.hits.total}} errors in the logs.</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>mc_host</bas:name><bas:value><bas:string_value>{{ctx.payload.hits.hits.0.fields.HostName}}</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>mc_host_class</bas:name><bas:value><bas:string_value>{{ctx.payload.hits.hits.0.fields.Environment}}</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>mc_object_class</bas:name><bas:value><bas:string_value>App: {{ctx.payload.hits.hits.0.fields.appindex}}</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>mc_object</bas:name><bas:value><bas:string_value>https://test.kibana.net/app/kibana#/doc/[logstash-]YYYY.MM.DD[-{{ctx.payload.hits.hits.0.fields.appindex}}]/{{ctx.payload.hits.hits.0.fields._index}}/http?id={{ctx.payload.hits.hits.0.fields._id}}</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>severity</bas:name><bas:value><bas:string_value>CRITICAL</bas:string_value></bas:value></bas:NameValue_element><bas:NameValue_element><bas:name>bw_notification</bas:name><bas:value><bas:string_value>email@host</bas:string_value></bas:value></bas:NameValue_element><even:subject>Logstash</even:subject></imap:message><imap:timeout>3000</imap:timeout><imap:messageClass>LOGSTASH</imap:messageClass><imap:messageType>MSG_TYPE_NEW_EVENT</imap:messageType></imap:SendEvent></soapenv:Body></soapenv:Envelope>"
}
}
}
}
And the email it returns looks like this: 它返回的电子邮件如下所示:
Incident Time: Wednesday, 18 May 2016 16:06:14 +0800
Host:
Severity: CRITICAL
Object Class:
Object: https://test.kibana.bwainet.net/app/kibana#/doc/[logstash-]YYYY.MM.DD[-]//http?id=
Parameter:
Location: Unknown
Message: Environment . Found 4 errors in the logs
I've been crawling over the elastic documentation as to why this wouldn't be working but I've come up at a loss. 我一直在抓住有弹性的文档,说明为什么这不起作用,但我不知所措。 Any clue why these fields are blank for me when the fields certainly exist in our elastic documents?
当我们的弹性文件中确实存在这些字段时,为什么这些字段对我来说是空白的任何线索? I'm hoping it's just a syntax error
我希望这只是一个语法错误
Cheers guys 干杯伙计们
In your Mustache calls use something like this ctx.payload.hits.hits.0._source.Environment
. 在你的Mustache调用中使用类似这样的东西
ctx.payload.hits.hits.0._source.Environment
。 Basically, every ctx.payload.hits.hits.0.fields.
基本上,每个
ctx.payload.hits.hits.0.fields.
needs to be replaced with ctx.payload.hits.hits.0._source.
需要用
ctx.payload.hits.hits.0._source.
替换ctx.payload.hits.hits.0._source.
, except _id
and _index
. ,除了
_id
和_index
。
For _index
you need ctx.payload.hits.hits.0._index
and for _id
you need ctx.payload.hits.hits.0._id
. 对于
_index
您需要ctx.payload.hits.hits.0._index
,对于_id
您需要ctx.payload.hits.hits.0._id
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.