All methods and paths for this operation:
When a watch is registered, a new document that represents the watch is added to the .watches index and its trigger is immediately registered with the relevant trigger engine.
Typically for the schedule trigger, the scheduler is the trigger engine.
IMPORTANT: You must use Kibana or this API to create a watch.
Do not add a watch directly to the .watches index by using the Elasticsearch index API.
If Elasticsearch security features are enabled, do not give users write privileges on the .watches index.
When you add a watch you can also define its initial active state by setting the active parameter.
When Elasticsearch security features are enabled, your watch can index or search only on indices for which the user that stored the watch has privileges.
If the user is able to read index a, but not index b, the same will apply when the watch runs.
manage_watcherThe initial state of the watch.
The default value is true, which means the watch is active by default.
only update the watch if the last operation that has changed the watch has the specified primary term
only update the watch if the last operation that has changed the watch has the specified sequence number
Explicit version number for concurrency control
The list of actions that will be run if the condition matches.
Values are email, webhook, index, logging, slack, or pagerduty.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Time unit for milliseconds
Default value is painless.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
If false, the request returns an error if any wildcard expression, index alias, or _all value targets only
missing or closed indices. This behavior applies even if the request targets other open indices. For example,
a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
If true, missing or closed indices are not included in the response.
Default value is false.
If true, concrete, expanded or aliased indices are ignored when frozen.
Default value is true.
Values are query_then_fetch or dfs_query_then_fetch.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Values are true, false, or wait_for.
Values are index or create.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Values are lowest, low, normal, high, or highest.
Values are trigger, resolve, or acknowledge.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Values are head, get, post, put, or delete.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Values are http or https.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
A string that contains each boundary character.
Default value is .,!? \t\n.
How far to scan for boundary characters.
Default value is 20.
Values are chars, sentence, or word.
Controls which locale is used to search for sentence and word boundaries.
This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
Default value is Locale.ROOT.
Values are simple or span.
The size of the highlighted fragment in characters.
Default value is 100.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
If set to a non-negative value, highlighting stops at this defined maximum limit.
The rest of the text is not processed, thus not highlighted and no error is returned
The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
Default value is 0.
The maximum number of fragments to return.
If the number of fragments is set to 0, no fragments are returned.
Instead, the entire field contents are highlighted and returned.
This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required.
If number_of_fragments is 0, fragment_size is ignored.
Default value is 5.
Value is score.
Controls the number of matching phrases in a document that are considered.
Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory.
When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory.
Only supported by the fvh highlighter.
Default value is 256.
Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text.
By default, highlighted text is wrapped in <em> and </em> tags.
Use in conjunction with post_tags to define the HTML tags to use for the highlighted text.
By default, highlighted text is wrapped in <em> and </em> tags.
By default, only fields that contains a query match are highlighted.
Set to false to highlight all fields.
Default value is true.
Value is styled.
Values are default or html.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
The approximate kNN search to run.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
The final number of nearest neighbors to return as top hits
The number of nearest neighbor candidates to consider per shard
Boost value to apply to kNN scores
The minimum similarity for a vector to be considered a match
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
For type composite
For type lookup
A custom format for date type runtime fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Values are head, get, post, put, or delete.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Values are http or https.
Values are json, yaml, or text.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
If false, the request returns an error if any wildcard expression, index alias, or _all value targets only
missing or closed indices. This behavior applies even if the request targets other open indices. For example,
a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
If true, missing or closed indices are not included in the response.
Default value is false.
If true, concrete, expanded or aliased indices are ignored when frozen.
Default value is true.
Values are query_then_fetch or dfs_query_then_fetch.
Default value is false.
Default value is false.
An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Time unit for milliseconds
Default value is painless.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
A string that contains each boundary character.
Default value is .,!? \t\n.
How far to scan for boundary characters.
Default value is 20.
Values are chars, sentence, or word.
Controls which locale is used to search for sentence and word boundaries.
This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
Default value is Locale.ROOT.
Values are simple or span.
The size of the highlighted fragment in characters.
Default value is 100.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
If set to a non-negative value, highlighting stops at this defined maximum limit.
The rest of the text is not processed, thus not highlighted and no error is returned
The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
Default value is 0.
The maximum number of fragments to return.
If the number of fragments is set to 0, no fragments are returned.
Instead, the entire field contents are highlighted and returned.
This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required.
If number_of_fragments is 0, fragment_size is ignored.
Default value is 5.
Value is score.
Controls the number of matching phrases in a document that are considered.
Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory.
When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory.
Only supported by the fvh highlighter.
Default value is 256.
Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text.
By default, highlighted text is wrapped in <em> and </em> tags.
Use in conjunction with post_tags to define the HTML tags to use for the highlighted text.
By default, highlighted text is wrapped in <em> and </em> tags.
By default, only fields that contains a query match are highlighted.
Set to false to highlight all fields.
Default value is true.
Value is styled.
Values are default or html.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
The approximate kNN search to run.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
The final number of nearest neighbors to return as top hits
The number of nearest neighbor candidates to consider per shard
Boost value to apply to kNN scores
The minimum similarity for a vector to be considered a match
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
For type composite
For type lookup
A custom format for date type runtime fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
If false, the request returns an error if any wildcard expression, index alias, or _all value targets only
missing or closed indices. This behavior applies even if the request targets other open indices. For example,
a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
If true, missing or closed indices are not included in the response.
Default value is false.
If true, concrete, expanded or aliased indices are ignored when frozen.
Default value is true.
Values are query_then_fetch or dfs_query_then_fetch.
Default value is false.
Default value is false.
An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
PUT _watcher/watch/my-watch
{
"trigger" : {
"schedule" : { "cron" : "0 0/1 * * * ?" }
},
"input" : {
"search" : {
"request" : {
"indices" : [
"logstash*"
],
"body" : {
"query" : {
"bool" : {
"must" : {
"match": {
"response": 404
}
},
"filter" : {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"email_admin" : {
"email" : {
"to" : "admin@domain.host.com",
"subject" : "404 recently encountered"
}
}
}
}resp = client.watcher.put_watch(
id="my-watch",
trigger={
"schedule": {
"cron": "0 0/1 * * * ?"
}
},
input={
"search": {
"request": {
"indices": [
"logstash*"
],
"body": {
"query": {
"bool": {
"must": {
"match": {
"response": 404
}
},
"filter": {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
condition={
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
actions={
"email_admin": {
"email": {
"to": "admin@domain.host.com",
"subject": "404 recently encountered"
}
}
},
)const response = await client.watcher.putWatch({
id: "my-watch",
trigger: {
schedule: {
cron: "0 0/1 * * * ?",
},
},
input: {
search: {
request: {
indices: ["logstash*"],
body: {
query: {
bool: {
must: {
match: {
response: 404,
},
},
filter: {
range: {
"@timestamp": {
from: "{{ctx.trigger.scheduled_time}}||-5m",
to: "{{ctx.trigger.triggered_time}}",
},
},
},
},
},
},
},
},
},
condition: {
compare: {
"ctx.payload.hits.total": {
gt: 0,
},
},
},
actions: {
email_admin: {
email: {
to: "admin@domain.host.com",
subject: "404 recently encountered",
},
},
},
});response = client.watcher.put_watch(
id: "my-watch",
body: {
"trigger": {
"schedule": {
"cron": "0 0/1 * * * ?"
}
},
"input": {
"search": {
"request": {
"indices": [
"logstash*"
],
"body": {
"query": {
"bool": {
"must": {
"match": {
"response": 404
}
},
"filter": {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_admin": {
"email": {
"to": "admin@domain.host.com",
"subject": "404 recently encountered"
}
}
}
}
)$resp = $client->watcher()->putWatch([
"id" => "my-watch",
"body" => [
"trigger" => [
"schedule" => [
"cron" => "0 0/1 * * * ?",
],
],
"input" => [
"search" => [
"request" => [
"indices" => array(
"logstash*",
),
"body" => [
"query" => [
"bool" => [
"must" => [
"match" => [
"response" => 404,
],
],
"filter" => [
"range" => [
"@timestamp" => [
"from" => "{{ctx.trigger.scheduled_time}}||-5m",
"to" => "{{ctx.trigger.triggered_time}}",
],
],
],
],
],
],
],
],
],
"condition" => [
"compare" => [
"ctx.payload.hits.total" => [
"gt" => 0,
],
],
],
"actions" => [
"email_admin" => [
"email" => [
"to" => "admin@domain.host.com",
"subject" => "404 recently encountered",
],
],
],
],
]);curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"trigger":{"schedule":{"cron":"0 0/1 * * * ?"}},"input":{"search":{"request":{"indices":["logstash*"],"body":{"query":{"bool":{"must":{"match":{"response":404}},"filter":{"range":{"@timestamp":{"from":"{{ctx.trigger.scheduled_time}}||-5m","to":"{{ctx.trigger.triggered_time}}"}}}}}}}}},"condition":{"compare":{"ctx.payload.hits.total":{"gt":0}}},"actions":{"email_admin":{"email":{"to":"admin@domain.host.com","subject":"404 recently encountered"}}}}' "$ELASTICSEARCH_URL/_watcher/watch/my-watch"client.watcher().putWatch(p -> p
.actions("email_admin", a -> a
.email(e -> e
.subject("404 recently encountered")
.to("admin@domain.host.com")
)
)
.condition(c -> c
.compare(NamedValue.of("ctx.payload.hits.total",Pair.of(ConditionOp.Gt,FieldValue.of(0))))
)
.id("my-watch")
.input(i -> i
.search(s -> s
.request(r -> r
.body(b -> b
.query(q -> q
.bool(bo -> bo
.filter(f -> f
.range(ra -> ra
.untyped(u -> u
.field("@timestamp")
)
)
)
.must(m -> m
.match(ma -> ma
.field("response")
.query(FieldValue.of(404))
)
)
)
)
)
.indices("logstash*")
)
)
)
.trigger(t -> t
.schedule(sc -> sc
.cron("0 0/1 * * * ?")
)
)
);
{
"trigger" : {
"schedule" : { "cron" : "0 0/1 * * * ?" }
},
"input" : {
"search" : {
"request" : {
"indices" : [
"logstash*"
],
"body" : {
"query" : {
"bool" : {
"must" : {
"match": {
"response": 404
}
},
"filter" : {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"email_admin" : {
"email" : {
"to" : "admin@domain.host.com",
"subject" : "404 recently encountered"
}
}
}
}