alerting icon indicating copy to clipboard operation
alerting copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

[BUG] Problem with getting ctx.results

Open zil1 opened this issue 3 years ago • 13 comments

When sending an alert, ctx.result is returned {}, while ctx.error does not return anything. When trying to send ctx.result.0 , the message is not sent, and an error appears in the logs:

[2022-06-29T11:48:44,800][ERROR][o.o.s.m.MustacheScriptEngine] [opensearch-node03] Error running com.github.mustachejava.codes.DefaultMustache@6422caa7
com.github.mustachejava.MustacheException: Failed to get value for ctx.results.0.hits.total.value @[query-template:14]
	at com.github.mustachejava.codes.ValueCode.execute(ValueCode.java:74) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.DefaultMustache.run(DefaultMustache.java:34) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.DefaultCode.execute(DefaultCode.java:162) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.DefaultMustache.execute(DefaultMustache.java:57) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.Mustache.execute(Mustache.java:38) ~[compiler-0.9.10.jar:?]
	at org.opensearch.script.mustache.MustacheScriptEngine$MustacheExecutableScript.lambda$execute$0(MustacheScriptEngine.java:137) ~[lang-mustache-client-2.0.1.jar:2.0.1]
	at java.security.AccessController.doPrivileged(AccessController.java:318) ~[?:?]
	at org.opensearch.script.mustache.MustacheScriptEngine$MustacheExecutableScript.execute(MustacheScriptEngine.java:136) [lang-mustache-client-2.0.1.jar:2.0.1]
	at org.opensearch.alerting.MonitorRunnerService.compileTemplate$opensearch_alerting(MonitorRunnerService.kt:271) [opensearch-alerting-2.0.1.0.jar:2.0.1.0]
	at org.opensearch.alerting.MonitorRunner.runAction(MonitorRunner.kt:62) [opensearch-alerting-2.0.1.0.jar:2.0.1.0]
	at org.opensearch.alerting.DocumentLevelMonitorRunner.runForEachDocTrigger(DocumentLevelMonitorRunner.kt:276) [opensearch-alerting-2.0.1.0.jar:2.0.1.0]
	at org.opensearch.alerting.DocumentLevelMonitorRunner.runMonitor(DocumentLevelMonitorRunner.kt:194) [opensearch-alerting-2.0.1.0.jar:2.0.1.0]
	at org.opensearch.alerting.DocumentLevelMonitorRunner$runMonitor$1.invokeSuspend(DocumentLevelMonitorRunner.kt) [opensearch-alerting-2.0.1.0.jar:2.0.1.0]
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)]
	at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:233) [kotlinx-coroutines-core-1.1.1.jar:?]
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) [kotlinx-coroutines-core-1.1.1.jar:?]
	at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) [kotlinx-coroutines-core-1.1.1.jar:?]
Caused by: com.github.mustachejava.MustacheException: 0 @[query-template:14]
	at com.github.mustachejava.codes.DefaultCode.get(DefaultCode.java:150) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.ValueCode.execute(ValueCode.java:62) ~[compiler-0.9.10.jar:?]
	... 17 more
Caused by: java.lang.IndexOutOfBoundsException: 0
	at org.opensearch.common.util.iterable.Iterables.get(Iterables.java:114) ~[opensearch-2.0.1.jar:2.0.1]
	at org.opensearch.script.mustache.CustomReflectionObjectHandler$CollectionMap.get(CustomReflectionObjectHandler.java:143) ~[lang-mustache-client-2.0.1.jar:2.0.1]
	at org.opensearch.script.mustache.CustomReflectionObjectHandler$CollectionMap.containsKey(CustomReflectionObjectHandler.java:152) ~[lang-mustache-client-2.0.1.jar:2.0.1]
	at com.github.mustachejava.reflect.ReflectionObjectHandler.findWrapper(ReflectionObjectHandler.java:146) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.reflect.ReflectionObjectHandler.find(ReflectionObjectHandler.java:87) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.reflect.GuardedBinding.getWrapper(GuardedBinding.java:103) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.reflect.GuardedBinding.createAndGet(GuardedBinding.java:89) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.reflect.GuardedBinding.get(GuardedBinding.java:84) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.DefaultCode.get(DefaultCode.java:145) ~[compiler-0.9.10.jar:?]
	at com.github.mustachejava.codes.ValueCode.execute(ValueCode.java:62) ~[compiler-0.9.10.jar:?]
	... 17 more

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Create a monitor with the type "Per document monitor"
  2. In the message specify a variable {{ctx.results.0.hits.total.value}}

What is your host/environment?

  • Docker
  • OpenSearch v2.0.1
  • OpenSearch Dashboards v2.0.1

zil1 avatar Jun 29 '22 13:06 zil1

@zil1 could you add what the query and output looks like?

rishabhmaurya avatar Jun 30 '22 18:06 rishabhmaurya

Slack destination: Message:

- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
results: {{ctx.results}}
error: {{ctx.error}}

Message in Slack:

Alerting-Notification Action



- Period start: 2022-07-18T07:34:48.345315097Z
- Period end: 2022-07-18T07:34:48.345315685Z
results: {}
error:

zil1 avatar Jul 18 '22 07:07 zil1

@zil1 I see that you have raised a concern for "Per document monitor" in specific.

For per doc monitors, have you checked out Document Findings?

In ctx, we have the alerts field i.e. ctx.alerts which would be the core information informing us which document id caused the alert and the id of document in findings index.

Here is the sample context body from a dummy alert I created in a Per document monitor for reference:

results: {monitor={_id=xNPqIoIByUf5KUWbzBd4, _version=5, name=test, enabled=true}, results=[], periodStart=2022-07-21T23:33:49.369701176Z, periodEnd=2022-07-21T23:33:49.369701760Z, error=null, trigger={id=w9PqIoIByUf5KUWbzBcr, name=Trigger1, severity=1, actions=[{name=testChimeAlert479Issue}]}, alerts=[{acknowledged_time=null, id=3a245826-bb0c-4a0e-86b9-fbc9526b9329, version=-1, end_time=null, error_message=null, last_notification_time=1658446429380, severity=1, start_time=1658446429380, state=ACTIVE, bucket_keys=null, parent_bucket_path=null, finding_ids=9cb82832-b0ea-4f75-b756-b88086afd2a2, related_doc_ids=r8AbI4IB8lJ1LO2BiMZa|test}]}

A monitor can run multiple queries in execution but ctx.alerts would contain all the information relevant to that particular document and alert.

Do you have any use case requiring you to consume results of all the queries run by the monitor in that execution?

eirsep avatar Aug 05 '22 22:08 eirsep

@eirsep, for example, I want to get the "message" field in a document

message: {{ ctx.results.0.hits.hits.0._source.message }}

zil1 avatar Aug 15 '22 11:08 zil1

@zil1 Just to confirm on the ask here, are you suggesting that in addition to the document findings which are part of the alerts today (which contains the specific document id which caused the alerts), you also would want to have the same set of document ids part of the results field as well?

getsaurabh02 avatar Aug 17 '22 20:08 getsaurabh02

@getsaurabh02 yes, if possible

zil1 avatar Aug 18 '22 15:08 zil1

/cc: @brijos to provide some context on the behavior.

getsaurabh02 avatar Aug 18 '22 18:08 getsaurabh02

Not sure if its the same use-case; but I personally would like to send document context (actual fields of a document) in a per-document monitor. For example, you have syslog -> logstash -> opensearch and you want to monitor logs from different hosts that have a certain severity/message ie. severity:crit and message:"something superbad" ideally the actions should be able to notify the channel with the context "hostX just logged a crit alert - something superbad". Apologies if this is documented somewhere, I really have been unable to find the best way of achieving this.

df3rry avatar Oct 05 '22 13:10 df3rry

I'd like to second this request. It allows the creation of much more useful alert messages, which contain key information for troubleshooting without first looking up. For me, the document includes a correlation_id, which would be incredibly useful to show directly in the alert manage.

As its a per document monitor, it would be very useful to access the document that triggers the alert.

waza-ari avatar Apr 22 '23 12:04 waza-ari

I'll give another up-vote on this. Having a per-document alert that includes the content of the document in the alert is the one thing I haven't been able to find a way to do. I found this discussion after my trials and it seems I'm not the first person with this request.

It looks like the change was done, but not merged because there wasn't an easy way to test? Has there been any more movement on that front, or has this request fallen off the priority list?

cpholt avatar Jun 21 '23 13:06 cpholt

I also need this.

ghobadimhd avatar Jun 28 '23 17:06 ghobadimhd

Facing similar issue and seems like this feature is much needed. Accessing the document fields directly using ctx rather than reference would ease in generating an Action message that is clear in first place. @lezzago

nik06 avatar Jul 05 '23 20:07 nik06

Sample document support was added in #1450. Can you check if that solves the issues you are facing?

engechas avatar Apr 12 '24 20:04 engechas