Search code examples
elasticsearchelasticsearch-watcher

Problems accessing _source fields with a dot in the name when creating Slack action for Elasticsearch Watcher

I am trying to create a Slack action with a dynamic attachment. My _source looks like this:

{
    "user.url": "https://api.github.com/users/...",
    "user.gists_url": "https://api.github.com/users/.../gists{/gist_id}",
    "user.repos_url": "https://api.github.com/users/.../repos",
    "date": "2018-04-27T14:34:10Z",
    "user.followers_url": "https://api.github.com/users/.../followers",
    "user.following_url": "https://api.github.com/users/.../following{/other_user}",
    "user.id": 123456,
    "user.avatar_url": "https://avatars0.githubusercontent.com/u/123456?v=4",
    "user.events_url": "https://api.github.com/users/.../events{/privacy}",
    "user.site_admin": false,
    "user.html_url": "https://github.com/...",
    "user.starred_url": "https://api.github.com/users/.../starred{/owner}{/repo}",
    "user.received_events_url": "https://api.github.com/users/.../received_events",
    "metric": "stars",
    "user.login": "...",
    "user.type": "User",
    "user.subscriptions_url": "https://api.github.com/users/.../subscriptions",
    "user.organizations_url": "https://api.github.com/users/.../orgs",
    "user.gravatar_id": ""
}

and here is my Slack action

"actions": {
    "notify-slack": {
        "throttle_period_in_millis": 240000,
        "slack": {
            "account": "monitoring",
            "message": {
                "from": "Elasticsearch Watcher",
                "to": [
                    "#watcher"
                ],
            "text": "We have {{ctx.payload.new.hits.total}} new stars! And {{ctx.payload.old.hits.total}} in total.",
            "dynamic_attachments" : {
                "list_path" : "ctx.payload.new.hits.hits",
                "attachment_template" : {
                    "title" : "{{_source.[\"user.login\"]}}", 
                    "text" : "Users Count: {{count}}",
                    "color" : "{{color}}"
                }
            }
        }
    }
}

I can't seem to figure out how to access my _source fields since they have dots in them. I have tried:

  • "{{_source.[\"user.login\"]}}"
  • "{{_source.user.login}}"
  • "{{_source.[user.login]}}"
  • "{{_source.['user.login']}}"
Solution

  • The answer to my question is that you can't access _source keys with dots in them directly using mustache, you must first transform your data.

    Update:

    I was able to get this working by using a transform to build a new object. Mustache might not be able to access fields with dots in their names, but painless can! I added this transform to my slack object:

    "transform" : {
    "script" : {
        "source" : "['items': ctx.payload.new.hits.hits.collect(user -> ['userName': user._source['user.login']])]",
        "lang" : "painless"
    }
}

    and now in the slack action dynamic attachments, I can access the items array:

    "dynamic_attachments" : {
    "list_path" : "ctx.payload.items",
    "attachment_template" : {
        "title" : "{{userName}}", 
        "text" : "{{_source}}"
    }
}

    Old Answer:

    So according to this Watcher uses mustache.

    and according to this mustache can't access fields with dots in the names.