Create or update a watch Generally available

POST /_watcher/watch/{id}
Api key auth Basic auth Bearer auth

All methods and paths for this operation:

PUT /_watcher/watch/{id}

POST /_watcher/watch/{id}

When a watch is registered, a new document that represents the watch is added to the .watches index and its trigger is immediately registered with the relevant trigger engine. Typically for the schedule trigger, the scheduler is the trigger engine.

IMPORTANT: You must use Kibana or this API to create a watch. Do not add a watch directly to the .watches index by using the Elasticsearch index API. If Elasticsearch security features are enabled, do not give users write privileges on the .watches index.

When you add a watch you can also define its initial active state by setting the active parameter.

When Elasticsearch security features are enabled, your watch can index or search only on indices for which the user that stored the watch has privileges. If the user is able to read index a, but not index b, the same will apply when the watch runs.

Required authorization

  • Cluster privileges: manage_watcher

Path parameters

  • id string Required

    The identifier for the watch.

Query parameters

  • active boolean

    The initial state of the watch. The default value is true, which means the watch is active by default.

  • if_primary_term number

    only update the watch if the last operation that has changed the watch has the specified primary term

  • if_seq_no number

    only update the watch if the last operation that has changed the watch has the specified sequence number

  • version number

    Explicit version number for concurrency control

application/json

Body Required

  • actions object

    The list of actions that will be run if the condition matches.

    Hide actions attribute Show actions attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • action_type string

        Values are email, webhook, index, logging, slack, or pagerduty.

      • condition object
        Hide condition attributes Show condition attributes object
        • always object
        • array_compare object
          Hide array_compare attribute Show array_compare attribute object
          • * object Additional properties
            Hide * attribute Show * attribute object
            • path string Required
        • compare object
          Hide compare attribute Show compare attribute object
          • * object Additional properties
        • never object
        • script object
          Hide script attributes Show script attributes object
          • params object
          • id string
      • foreach string
      • max_iterations number
      • name string
      • throttle_period string

        A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        External documentation
      • throttle_period_in_millis number

        Time unit for milliseconds

      • transform object
        Hide transform attributes Show transform attributes object
        • chain array[object]
        • script object
          Hide script attributes Show script attributes object
          • lang string

            Default value is painless.

          • params object
          • id string
        • search object
      • index object
        Hide index attributes Show index attributes object
        • index string Required
        • doc_id string
        • refresh string

          Values are true, false, or wait_for.

        • op_type string

          Supported values include:

          • index: Overwrite any documents that already exist.
          • create: Only index documents that do not already exist.

          Values are index or create.

        • timeout string

          A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

          External documentation
        • execution_time_field string

          Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • logging object
        Hide logging attributes Show logging attributes object
        • level string
        • text string Required
        • category string
      • email object
        Hide email attributes Show email attributes object
      • pagerduty object
        Hide pagerduty attributes Show pagerduty attributes object
        • account string
        • attach_payload boolean Required
        • client string
        • client_url string
        • contexts array[object]
        • description string Required
        • event_type string

          Values are trigger, resolve, or acknowledge.

        • incident_key string Required
        • proxy object
      • slack object
        Hide slack attributes Show slack attributes object
        • account string
        • message object Required
          Hide message attributes Show message attributes object
          • attachments array[object] Required
          • from string Required
          • icon string
          • text string Required
          • to array[string] Required
      • webhook object
        Hide webhook attributes Show webhook attributes object
        • auth object
        • body string
        • connection_timeout string

          A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        • headers object
          Hide headers attribute Show headers attribute object
          • * string Additional properties
        • host string
        • method string

          Values are head, get, post, put, or delete.

        • params object
          Hide params attribute Show params attribute object
          • * string Additional properties
        • path string
        • port number
        • proxy object
        • read_timeout string

          A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        • scheme string

          Values are http or https.

        • url string
  • condition object

    The condition that defines if the actions should be run.

    Hide condition attributes Show condition attributes object
    • always object
    • array_compare object
      Hide array_compare attribute Show array_compare attribute object
      • * object Additional properties
        Hide * attribute Show * attribute object
        • path string Required
    • compare object
      Hide compare attribute Show compare attribute object
      • * object Additional properties
    • never object
    • script object
      Hide script attributes Show script attributes object

      • lang string

        Supported values include:

        • painless: Painless scripting language, purpose-built for Elasticsearch.
        • expression: Lucene’s expressions language, compiles a JavaScript expression to bytecode.
        • mustache: Mustache templated, used for templates.
        • java: Expert Java API
        Any of:
        string-1 string string-2 string

        Supported values include:

        • painless: Painless scripting language, purpose-built for Elasticsearch.
        • expression: Lucene’s expressions language, compiles a JavaScript expression to bytecode.
        • mustache: Mustache templated, used for templates.
        • java: Expert Java API

        Values are painless, expression, mustache, or java.

        Supported values include:

        • painless: Painless scripting language, purpose-built for Elasticsearch.
        • expression: Lucene’s expressions language, compiles a JavaScript expression to bytecode.
        • mustache: Mustache templated, used for templates.
        • java: Expert Java API
      • params object
        Hide params attribute Show params attribute object
        • * object Additional properties

      • source string | object

        One of:
        string-1 string SearchRequestBody object
      • id string
  • input object

    The input that defines the input that loads the data for the watch.

    Hide input attributes Show input attributes object
    • chain object
      Hide chain attribute Show chain attribute object
      • inputs array[object] Required
        Hide inputs attribute Show inputs attribute object
        • * object
    • http object
      Hide http attributes Show http attributes object
      • extract array[string]
      • request object
        Hide request attributes Show request attributes object
        • body string
        • headers object
        • params object
        • path string
        • url string
      • response_content_type string

        Values are json, yaml, or text.

    • search object
      Hide search attributes Show search attributes object
      • extract array[string]
      • request object Required
        Hide request attributes Show request attributes object
        • indices array[string]
        • rest_total_hits_as_int boolean
      • timeout string

        A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        External documentation
    • simple object
      Hide simple attribute Show simple attribute object
      • * object Additional properties
  • metadata object

    Metadata JSON that will be copied into the history entries.

    Hide metadata attribute Show metadata attribute object
    • * object Additional properties
  • throttle_period string

    The minimum time between actions being run. The default is 5 seconds. This default can be changed in the config file with the setting xpack.watcher.throttle.period.default_period. If both this value and the throttle_period_in_millis parameter are specified, Watcher uses the last parameter included in the request.

    External documentation
  • throttle_period_in_millis number

    Time unit for milliseconds

  • transform object

    The transform that processes the watch payload to prepare it for the watch actions.

    Hide transform attributes Show transform attributes object
    • chain array[object]
    • script object
      Hide script attributes Show script attributes object
    • search object
      Hide search attributes Show search attributes object
      • request object Required
        Hide request attributes Show request attributes object
        • indices array[string]
        • rest_total_hits_as_int boolean
      • timeout string Required

        A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        External documentation
  • trigger object

    The trigger that defines when the watch should run.

    Hide trigger attribute Show trigger attribute object
    • schedule object
      Hide schedule attributes Show schedule attributes object
      • timezone string
      • cron string
      • daily object
        Hide daily attribute Show daily attribute object
        • at array[string | object] Required
      • hourly object
        Hide hourly attribute Show hourly attribute object
        • minute array[number] Required
      • interval string

        A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

        External documentation

      • monthly object | array[object]

        One of:
        TimeOfMonth object array-2 array[object]

      • weekly object | array[object]

        One of:
        TimeOfWeek object array-2 array[object]

      • yearly object | array[object]

        One of:
        TimeOfYear object array-2 array[object]

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • created boolean Required
    • _id string Required
    • _primary_term number Required
    • _seq_no number Required
    • _version number Required
POST /_watcher/watch/{id} 
PUT _watcher/watch/my-watch
{
  "trigger" : {
    "schedule" : { "cron" : "0 0/1 * * * ?" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [
          "logstash*"
        ],
        "body" : {
          "query" : {
            "bool" : {
              "must" : {
                "match": {
                  "response": 404
                }
              },
              "filter" : {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_admin" : {
      "email" : {
        "to" : "admin@domain.host.com",
        "subject" : "404 recently encountered"
      }
    }
  }
}
resp = client.watcher.put_watch(
    id="my-watch",
    trigger={
        "schedule": {
            "cron": "0 0/1 * * * ?"
        }
    },
    input={
        "search": {
            "request": {
                "indices": [
                    "logstash*"
                ],
                "body": {
                    "query": {
                        "bool": {
                            "must": {
                                "match": {
                                    "response": 404
                                }
                            },
                            "filter": {
                                "range": {
                                    "@timestamp": {
                                        "from": "{{ctx.trigger.scheduled_time}}||-5m",
                                        "to": "{{ctx.trigger.triggered_time}}"
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    },
    condition={
        "compare": {
            "ctx.payload.hits.total": {
                "gt": 0
            }
        }
    },
    actions={
        "email_admin": {
            "email": {
                "to": "admin@domain.host.com",
                "subject": "404 recently encountered"
            }
        }
    },
)
const response = await client.watcher.putWatch({
  id: "my-watch",
  trigger: {
    schedule: {
      cron: "0 0/1 * * * ?",
    },
  },
  input: {
    search: {
      request: {
        indices: ["logstash*"],
        body: {
          query: {
            bool: {
              must: {
                match: {
                  response: 404,
                },
              },
              filter: {
                range: {
                  "@timestamp": {
                    from: "{{ctx.trigger.scheduled_time}}||-5m",
                    to: "{{ctx.trigger.triggered_time}}",
                  },
                },
              },
            },
          },
        },
      },
    },
  },
  condition: {
    compare: {
      "ctx.payload.hits.total": {
        gt: 0,
      },
    },
  },
  actions: {
    email_admin: {
      email: {
        to: "admin@domain.host.com",
        subject: "404 recently encountered",
      },
    },
  },
});
response = client.watcher.put_watch(
  id: "my-watch",
  body: {
    "trigger": {
      "schedule": {
        "cron": "0 0/1 * * * ?"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "logstash*"
          ],
          "body": {
            "query": {
              "bool": {
                "must": {
                  "match": {
                    "response": 404
                  }
                },
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "{{ctx.trigger.scheduled_time}}||-5m",
                      "to": "{{ctx.trigger.triggered_time}}"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "compare": {
        "ctx.payload.hits.total": {
          "gt": 0
        }
      }
    },
    "actions": {
      "email_admin": {
        "email": {
          "to": "admin@domain.host.com",
          "subject": "404 recently encountered"
        }
      }
    }
  }
)
$resp = $client->watcher()->putWatch([
    "id" => "my-watch",
    "body" => [
        "trigger" => [
            "schedule" => [
                "cron" => "0 0/1 * * * ?",
            ],
        ],
        "input" => [
            "search" => [
                "request" => [
                    "indices" => array(
                        "logstash*",
                    ),
                    "body" => [
                        "query" => [
                            "bool" => [
                                "must" => [
                                    "match" => [
                                        "response" => 404,
                                    ],
                                ],
                                "filter" => [
                                    "range" => [
                                        "@timestamp" => [
                                            "from" => "{{ctx.trigger.scheduled_time}}||-5m",
                                            "to" => "{{ctx.trigger.triggered_time}}",
                                        ],
                                    ],
                                ],
                            ],
                        ],
                    ],
                ],
            ],
        ],
        "condition" => [
            "compare" => [
                "ctx.payload.hits.total" => [
                    "gt" => 0,
                ],
            ],
        ],
        "actions" => [
            "email_admin" => [
                "email" => [
                    "to" => "admin@domain.host.com",
                    "subject" => "404 recently encountered",
                ],
            ],
        ],
    ],
]);
curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"trigger":{"schedule":{"cron":"0 0/1 * * * ?"}},"input":{"search":{"request":{"indices":["logstash*"],"body":{"query":{"bool":{"must":{"match":{"response":404}},"filter":{"range":{"@timestamp":{"from":"{{ctx.trigger.scheduled_time}}||-5m","to":"{{ctx.trigger.triggered_time}}"}}}}}}}}},"condition":{"compare":{"ctx.payload.hits.total":{"gt":0}}},"actions":{"email_admin":{"email":{"to":"admin@domain.host.com","subject":"404 recently encountered"}}}}' "$ELASTICSEARCH_URL/_watcher/watch/my-watch"
Request example
Run `PUT _watcher/watch/my-watch` add a watch. The watch schedule triggers every minute. The watch search input looks for any 404 HTTP responses that occurred in the last five minutes. The watch condition checks if any search hits where found. When found, the watch action sends an email to an administrator. 
{
  "trigger" : {
    "schedule" : { "cron" : "0 0/1 * * * ?" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [
          "logstash*"
        ],
        "body" : {
          "query" : {
            "bool" : {
              "must" : {
                "match": {
                  "response": 404
                }
              },
              "filter" : {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_admin" : {
      "email" : {
        "to" : "admin@domain.host.com",
        "subject" : "404 recently encountered"
      }
    }
  }
}