Sentl webservice advanced example

Hi All,
Read the docs on both siren sentinl and sentinl Kibana. I understand you can “trigger” a web service via the advanced watcher as a condition. When I follow the example in the siren 10.5.2 docs it doesn’t seem to work. Can you provide a complete example? Thanks!

Hi Jeff,

Here is an example for invoking a webservice from the advance watcher condition:

    {
  "actions": {
    "email_html_alarm_c05fe136-ff6b-464d-84f5-8e617c4114f5": {
      "name": "email html alarm",
      "throttle_period": "1m",
      "email_html": {
        "to": "xxxxxx",
        "from": "xxxxxx",
        "stateless": false,
        "subject": "{{payload.hits.total}} new results from watcher {{watcher.title}}",
        "priority": "high",
        "html": "<p>Hi {{watcher.username}},</p>\n<p>There are {{payload.hits.total}} results found by the watcher <i>{{watcher.title}}</i>.</p>\n<div style=\"color: #2D2D2D;\">\n  <hr>\n  <p>This watcher sends alerts based on the following criteria:</p>\n  <ul><li>{{watcher.condition.script.script}}</li></ul>\n</div>"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "index": [],
        "body": {}
      }
    }
  },
  "condition": {
    "web_service": {
      "group": "webhose",
      "service": "news",
      "params": "{ \"query\": \"brexit\" }",
      "store": true
    },
    "scrpt": {
      "script": "webServiceResult.news.length > 0"
    }
  },
  "trigger": {
    "schedule": {
      "later": "every 5 hours"
    }
  },
  "disable": true,
  "report": false,
  "title": "Invoke web service",
  "save_payload": false,
  "spy": false,
  "impersonate": false
}

For more details please go through the siren docs for invoking an webservice from Advanced Alert watcher.

Regards
Manu

I tried the above and get the following error:

Error: watcher play: log alarm:create:[illegal_argument_exception] Cannot put multiple mappings: [sentinl-alarm, doc][illegal_argument_exception] Cannot put multiple mappings: [sentinl-alarm, doc] :: {“path”:"/watcher_alarms-2020.10.07/_doc",“query”:{“type”:“sentinl-alarm”,“refresh”:“true”},“body”:"{"@timestamp":“2020-10-07T02:57:47.325Z”,“error”:true,“report”:false,“watcher”:“test”,“action”:“unknown action”,“level”:“high”,“message”:“WatcherHandlerError: execute advanced watcher:log alarm:create:[illegal_argument_exception] Cannot put multiple mappings: [sentinl-alarm, doc]”,“type”:“sentinl-alarm”}",“statusCode”:400,“response”:"{“error”:{“root_cause”:[{“type”:“illegal_argument_exception”,“reason”:“Cannot put multiple mappings: [sentinl-alarm, doc]”}],“type”:“illegal_argument_exception”,“reason”:“Cannot put multiple mappings: [sentinl-alarm, doc]”},“status”:400}"}
at respond (/opt/platform/siren-investigate/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/opt/platform/siren-investigate/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector. (/opt/platform/siren-investigate/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/opt/platform/siren-investigate/node_modules/lodash/lodash.js:4929:19)
at IncomingMessage.emit (events.js:203:15)
at IncomingMessage.EventEmitter.emit (domain.js:466:23)
at endReadableNT (_stream_readable.js:1145:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
at WatcherService._callee$ (http://localhost:5606/bundles/sentinl.bundle.js?v=29245:1:386643)
at tryCatch (http://localhost:5606/bundles/commons.bundle.js?v=29245:180:3882)
at Generator.invoke [as _invoke] (http://localhost:5606/bundles/commons.bundle.js?v=29245:180:7833)
at Generator.throw (http://localhost:5606/bundles/commons.bundle.js?v=29245:180:5021)
at step (http://localhost:5606/bundles/sentinl.bundle.js?v=29245:1:385144)
at http://localhost:5606/bundles/sentinl.bundle.js?v=29245:1:385327

Hi Jeff,

Can you please confirm once what is the Elasticsearch version you are using?

Did you get this error when you clicked on the play button? You got this error as a notification or in the browser console , in the alarm list?

Please confirm if you did any operations relating to the alarms indices (e.g. create or modify watcher_alarms-* indices)?

Also can you please run this query on Dev tools of Siren and share the output:

       GET watcher_alarms-*/_search
{
  "aggs": {
    "indicesAgg": {
      "terms": {
        "field": "_type"
      }
    }
  },
  "size": 0
}

Thanks
Manu

Compatibility Status Optimal
Investigate Version 10.5.2
Federate Version 7.6.2-20.0 on ES 7.6.2
Investigate Metadata Index .siren

results from the GET query

{
“took” : 0,
“timed_out” : false,
“_shards” : {
“total” : 0,
“successful” : 0,
“skipped” : 0,
“failed” : 0
},
“hits” : {
“total” : {
“value” : 0,
“relation” : “eq”
},
“max_score” : 0.0,
“hits” : [ ]
}
}

Hi Jeff,

Does you have any alarms indices? Can you run this query in dev tools?

GET _cat/indices/watcher_alarms*

Also Did you get this error when you clicked on the play button? You got this error as a notification or in the browser console , in the alarm list?

Please confirm if you did any operations relating to the alarms indices (e.g. create or modify watcher_alarms-* indices)?

Regards
Manu Agarwal