From version 5.0 onward, Watcher is part of X-Pack. For more information, see Alerting on cluster and index events.
« How Watcher Works Watch Execution »
Elastic Docs Elasticsearch Watcher [1.0] How Watcher Works

Watch Definition

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Watch Definition

edit

A watch consists of a trigger, input, condition, and the actions you want to perform when the watch condition is met. In addition, you can define transforms to process the watch payload before executing the actions.

Trigger
Determines when the watch is checked. A watch must have a trigger.
Input
Loads data into the watch payload. If no input is specified, an empty payload is loaded.
Condition
Controls whether the watch actions are executed. If no condition is specified, the condition defaults to always.
Transform
Processes the watch payload to prepare it for the watch actions. You can define transforms at the watch level or define action-specific transforms. Optional.
Actions
Specify what happens when the watch condition is met.

For example, the following snippet shows a Put Watch request that defines a watch that looks for log error events:

PUT _watcher/watch/log_event_watch
{
  "metadata" : { 
    "color" : "red"
  },
  "trigger" : { 
    "schedule" : {
      "interval" : "5m"
    }
  },
  "input" : { 
    "search" : {
      "request" : {
        "search_type" : "count",
        "indices" : "log-events",
        "body" : {
          "query" : { "match" : { "status" : "error" } }
        }
      }
    }
  },
  "condition" : { 
    "script" : "return ctx.payload.hits.total > 5"
  },
  "transform" : { 
    "search" : {
        "request" : {
          "indices" : "log-events",
          "body" : {
            "query" : { "match" : { "status" : "error" } }
          }
        }
    }
  },
  "actions" : { 
    "my_webhook" : {
      "webhook" : {
        "method" : "POST",
        "host" : "mylisteninghost",
        "port" : 9200,
        "path" : "/{{watch_id}}",
        "body" : "Encountered {{ctx.payload.hits.total}} errors"
      }
    },
    "email_administrator" : {
      "email" : {
        "to" : "sys.admino@host.domain",
        "subject" : "Encountered {{ctx.payload.hits.total}} errors",
        "body" : "Too many error in the system, see attached data",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}

Metadata - You can attach optional static metadata to a watch.

Trigger - This schedule trigger executes the watch every 5 minutes

Input - This input searches for errors in the log-events index and loads the response into the watch payload.

Condition - This condition checks to see if there are more than 5 error events (hits in the search response). If there are, execution continues.

Transform - If the watch condition is met, this transform loads all of the errors into the watch payload by searching for the errors using the default search type, query_then_fetch. All of the watch actions have access to this payload.

Actions - This watch has two actions. The my_webhook action notifies a 3rd party system about the problem. The email_administrator action sends a high priority email to the system administrator. The watch payload that contains the errors is attached to the email.
« How Watcher Works Watch Execution »