2

We have multiple applications which pushing log into Kibana. In JSON, below parameter will be there :

  1. srcSystem.componentName: "DATA-LAMBDA-FUNCTION"
  2. srcSystem.data.auditJson.job_status: "FAILURE"
  3. srcSystem.data.auditJson.errorMessage: "Bad SQL Grammer.."
  4. srcSystem.data.auditJson.entityName: "Test_Entity1234"

There will be chances available multiple job_status: FAILURE within 5 mins. I want to create Kibana Watcher to trigger email if there are at least single failure every 5 mins. Email should contain like below:

srcSystem.data.auditJson.entityName srcSystem.data.auditJson.errorMessage Test_Entity1234 Authentication Failure Test_4312 Server Down Address_Entity Bad SQL

Can you please help me to create JSON Payload to create Watcher through Kibana Watcher API?

MKumar
  • 79
  • 2
  • 6
  • What have you tried already ? – Paulo Jul 24 '22 at 17:58
  • I tried with below Json. Getting email the details in email is not coming: "actions": { "ses_account": { "email": { "profile": "standard", "to": [ "krmunna01234@gmail.com" ], "subject": " Failures are in mail ", "body": { "html": "
    Dynamic Entity Sync failed for sync type for entity {{srcSystem.data.auditJson.entityName}}

    {{srcSystem.data.auditJson.errorMessage}}
    Error Details Failure reason
    " } } } }     – MKumar Jul 25 '22 at 05:10
  • please update the question with his information it is not very readable in the comments. Have you look in elasticsearch logs to see any error related to the execution of the watcher ? Have you [configured an email account as per the documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/actions-email.html#configuring-email) ? – Paulo Jul 25 '22 at 09:25
  • Email is getting triggered with empty. How to get the value below parameters from elastic search json in email body: srcSystem.data.auditJson.entityName srcSystem.data.auditJson.errorMessage – MKumar Jul 26 '22 at 14:35

1 Answers1

0

Got the solution by providing the exact JSON.

MKumar
  • 79
  • 2
  • 6
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 26 '22 at 19:04