If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.
Elasticsearch version: 7.17.3
Server OS version: Windows 2019 Server
Kibana version (if relevant): 7.17.3
Browser version (if relevant):
Browser OS version (if relevant):
Describe the issue: I have configured Signals Alerting through Search guard. I am trying to do a Webhook integration to send the elk data to Splunk . When i run the watcher , there is no error. but the expected data and fields are not coming up in Splunk
When i executed the watcher- it shows the status
Steps to reproduce:
Expected behavior:
Provide configuration:
Provide logs:
Screenshots (if relevant):
Errors in browser console (if relevant):
Additional data:
{
"checks": [
{
"request": {
"indices": [
"metricbeat-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
}
]
}
},
"aggregations": {
"bucketAgg": {
"terms": {
"field": "agent.hostname",
"size": 500,
"order": {
"metricAgg": "desc"
}
},
"aggregations": {
"metricAgg": {
"avg": {
"field": "host.cpu.usage"
}
},
"OS": {
"terms": {
"field": "host.os.platform"
}
},
"IP": {
"terms": {
"field": "host.ip"
}
}
}
}
}
}
},
"type": "search",
"name": "mysearch",
"target": "mysearch"
},
{
"name": "data_normalization",
"type": "transform",
"source": " def hosts=data.mysearch.aggregations.bucketAgg.buckets;\n return hosts.stream().filter(h->{\n def cpu_usage=h.metricAgg.value;\n return cpu_usage>0.001;\n }).map(h->{\n def cpu_usage=h.metricAgg.value;\n def cpu_usage_round=BigDecimal.valueOf(cpu_usage*100).setScale(2, RoundingMode.HALF_EVEN);\n def os=h.OS.buckets[0].key;\n def ip=h.IP.buckets[0].key; \n return['host': h.key, 'cpu_usage': cpu_usage*100, 'cpu_usage_round': cpu_usage_round, 'os': os, 'ip': ip];\n }).collect(Collectors.toList());"
}
],
"active": true,
"_meta": {
"last_edit": {
"user": "admin",
"date": "2022-11-01T08:35:09.737Z"
}
},
"trigger": {
"schedule": {
"interval": [
"1m"
]
}
},
"log_runtime_data": false,
"actions": [
{
"type": "webhook",
"name": "webhook",
"throttle_period": "1s",
"request": {
"method": "POST",
"url": "http://10.28.128.231:8088/services/collector/raw?",
"body": "{\n\n\"event\": \"Host: {{item.host}}|Usage: {{item.cpu_usage}}|OS: {{item.os}}|IP: {{item.ip}}|Application: {{item.app}}|Summary: CPU Utilization started violating and is now warning.|Severity: WARNING|AlertID: {{item.host}}\"\n\n}",
"headers": {
"Authorization": "Splunk fa882193-7310-45ad-9ab6-468316abf3fe",
"Content-type": "application/json"
}
}
}
],
"_tenant": "_main",
"_id": "example_watch"
}
pablo
November 3, 2022, 2:16pm
4
@amalk12 Based on your screenshot, your watch doesn’t get any data.
I’d suggest testing the query configured in the watch and ensuring that it returns data.
Also, could you check the watch execution history? Each execution provides detailed information and may contain logged errors.
I have a doubt whether the json script is able to read my Index metricbeat* . Is there a way to check if it is able to just read my index
pablo
November 4, 2022, 4:22pm
6
@amalk12 You can extract the query and use it with the curl command or dev tool in OpenSearch Dashboards.
amalk12
November 10, 2022, 5:41pm
7
I am able to get the data for my Query , when i try to execute the watcher . But in my Action part - Where Webhook is been used to connect to Splunk url . I am unable to send the data to Splunk, Only the feild name is visible in Splunk ,
{
"checks": [
{
"request": {
"indices": [
"metricbeat-*"
],
"body": {
"size": 2,
"query": {
"bool": {
"must": []
}
},
"aggregations": {
"bucketAgg": {
"terms": {
"field": "agent.hostname.keyword",
"size": 500,
"order": {
"metricAgg": "desc"
}
},
"aggregations": {
"metricAgg": {
"avg": {
"field": "system.memory.actual.used.pct"
}
},
"OS": {
"terms": {
"field": "host.os.platform"
}
},
"IP": {
"terms": {
"field": "host.ip"
}
}
}
}
}
}
},
"name": "mysearch",
"type": "search",
"target": "mysearch"
},
{
"name": "data_normalization",
"type": "transform",
"source": "def hosts=data.mysearch.aggregations.bucketAgg.buckets;\n return hosts.stream().filter(h->{\n def memory_usage=h.metricAgg.value;\n return memory_usage>0.001;\n }).map(h->{\n def memory_usage=h.metricAgg.value;\n def memory_usage_round=BigDecimal.valueOf(memory_usage*100).setScale(2, RoundingMode.HALF_EVEN);\n def os=h.OS.buckets[0].key;\n def ip=h.IP.buckets[0].key; \n return['host': h.key, 'memory_usage': memory_usage*100, 'memory_usage_round': memory_usage_round, 'os': os, 'ip': ip];\n }).collect(Collectors.toList());"
}
],
"active": true,
"_meta": {
"last_edit": {
"user": "admin",
"date": "2022-10-27T10:42:55.268Z"
}
},
"trigger": {
"schedule": {
"timezone": "Europe/Berlin",
"interval": [
"15m"
]
}
},
"actions": [
{
"type": "webhook",
"name": "webhook",
"throttle_period": "1s",
"request": {
"method": "POST",
"url": "http://XXXX:8088/services/collector/raw?",
"body": "{\n\n\"event\": \"Host: {{item.host}}|Usage: {{item.Memory_usage}}|OS: {{item.os}}|IP: {{item.ip}}|Summary: Memory utilization started violating and is now warning.|Severity: WARNING|AlertID: {{item.host}}\"\n\n}",
"headers": {
"Authorization": "Splunk fa882193-7310",
"Content-type": "application/json"
}
}
],
"_tenant": "_main",
"_id": "TEST-Memory"
}
amalk12
November 10, 2022, 5:43pm
8
Is my Webhook is defined correctly . or am i missing something
pablo
November 23, 2022, 6:19pm
9
@amalk12 The transform section is missing a target and lang.
"name": "data_normalization",
"source": "def hosts=data.mysearch.aggregations.bucketAgg.buckets;\n return hosts.stream().filter(h->{\n def cpu_usage=h.metricAgg.value;\n return cpu_usage>0.001;\n }).map(h->{\n def cpu_usage=h.metricAgg.value;\n def cpu_usage_round=BigDecimal.valueOf(cpu_usage*100).setScale(2, RoundingMode.HALF_EVEN);\n def os=h.OS.buckets[0].key;\n def ip=h.IP.buckets[0].key; \n return['host': h.key, 'cpu_usage': cpu_usage*100, 'cpu_usage_round': cpu_usage_round, 'os': os, 'ip': ip];\n }).collect(Collectors.toList());",
"type": "transform",
"lang": "painless",
"target": "data_normalization"
The transform part is returned as an array. Try the below in the webhook body.
"body": "{\"text\": \"{{#data.data_normalization}} Host: {{host}} {{/data.data_normalization}}\"}"
