Can I pass an HTTP response from one action to another in Elasticsearch Watch?

huangapple go评论55阅读模式
英文:

Can I pass an HTTP response from one action to another in Elasticsearch Watch?

问题

{
  "actions": {
    "new_action": {
      "http": {
        "scheme": "https",
        "host": "example.com",
        "port": 443,
        "method": "post",
        "path": "/endpoint",
        "params": {},
        "headers": {
          "Content-Type": "application/json"
        },
        "body": "{{ctx.payload.response_data}}"
      }
    }
  }
}
英文:

I'm trying to register a ticket in a ticketing system and save the ticket ID in an Elasticsearch document using Watcher actions. The ticket ID is passed in the response to the "register new ticket" request, but I don't know how would I access the response from another action.

I would've used input chaining, but I have to iterate through the query results when registering tickets, which, as far as I know, is only possible in actions. I guess what I need is something like action chaining, but I'm not sure if anything like that exists.

Here is the current watch code:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          ".alerts-security.alerts-default"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m",
                      "lte": "now"
                    }
                  }
                },
                {
                  "match": {
                    "kibana.alert.workflow_status": "open"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "otobo_webhook": {
      "transform": {
        "script": {
          "source": """
          ['items': ctx.payload.hits.hits.collect(alert -> [
            'id': alert._id,
            'timestamp': alert._source['@timestamp'],
            'rule_name': alert._source['kibana.alert.rule.name'],
            'rule_note': alert._source['kibana.alert.rule.note'],
            'host_name': alert._source['host.name']
          ])]
        """,
          "lang": "painless"
        }
      },
      "foreach": "ctx.payload.items",
      "max_iterations": 500,
      "webhook": {
        "scheme": ,
        "host": ,
        "port": ,
        "method": ,
        "path": ,
        "params": {},
        "headers": {},
        "body": """
          {
            "UserLogin": ,
            "Password": ,
            "Ticket": {
              "Title": "Elastic Alert (generated by rule {{ctx.payload.rule_name}})",
              /* some more ticket data */
            },
            "Article": {
              "CommmunicationChannel": "Email",
              "From": "test@test.pl",
              "Subject": "Elastic Alert (generated by rule {{ctx.payload.rule_name}})",
              "Body": "<p>Rule \"{{ctx.payload.rule_name}}\" emmitted an alert at {{ctx.payload.timestamp}} with a note: \"{{ctx.payload.rule_note}}\". Device: {{ctx.payload.host_name}}.</p>",
              "ContentType": "text/html charset=utf-8"
            }
          }
          """
      }
    }
  }
}

Now I need to add another action which would use the http response data from the first action.

答案1

得分: 0

我无法使用HTTP响应数据,但我找到了一个变通方法。由于我将票务ID添加到警报中,我查询没有这个字段的文档,并使用输入链接只保留第一个结果。现在,如果没有找到警报,手表会崩溃。否则,我注册一张票,仍然在输入链中,我为该操作执行的唯一操作是使用票务ID更新警报,同时将其标记为已处理。手表逐个处理警报,直到没有剩余。

诚然,这是一种破解方法,在性能方面绝对可怕,但对于我的用例来说有效。对于更复杂的任务,我担心Watcher太有限,需要外部脚本。

英文:

I haven't been able to use the HTTP response data, but I found a workaround. Since I add the ticket ID to the alert, I query for documents without this field and I'm using input chaining to leave just the 1st result. Now, if there are no alerts found the watch will crash. Otherwise, I register a ticket, still in the input chain and the only thing I perform for the action is update the alert with the ticket ID, simultaneously marking it as handled. The watch handles the alerts one-by-one until there are no left.

Admittedly this is a hack and absolutely horrendous in terms of performance, but it works for my use case. For more complicated tasks I'm afraid that the Watcher is simply too limited and an external script is necessary.

huangapple
  • 本文由 发表于 2023年5月22日 18:09:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76305100.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定