Script Transformedit

A Transform that executes a script on the current payload in the watch execution context and replaces it with a newly generated one. The following snippet shows how a simple script transform can be defined on the watch level:

The script transform is often useful when used in combination with the search transform, where the script can extract only the significant data from a search result, and by that, keep the payload minimal. This can be achieved with the chain transform.

  "transform" : {
    "script" : "return [ 'time' : ctx.trigger.scheduled_time ]" 

A simple painless script that creates a new payload with a single time field holding the scheduled time.

The executed script may either return a valid model that is the equivalent of a Java™ Map or a JSON object (you will need to consult the documentation of the specific scripting language to find out what this construct is). Any other value that is returned will be assigned and accessible to/via the _value variable.

The script attribute may hold a string value in which case it will be treated as an inline script and the default elasticsearch script languages will be assumed (as described in here). You can use the other scripting languages supported by Elasticsearch. For this, you need to set the script field to an object describing the script and its language. The following table lists the possible settings that can be configured:

Table 43. Script Transform Settings

Name Required Default Description




When using an inline script, this field holds the script itself.




When referring to a script file, this field holds the name of the file.




When referring to a stored script, this field holds the id of the script.




The script language




Additional parameters/variables that are accessible by the script

When using the object notation, only one of inline, file or id fields must be defined

When using the object notation of the script, one (and only one) of inline, file or id fields must be defined

In addition to the provided params, the scripts also have access to the Standard Watch Execution Context Parameters.

For Groovy, you must explicitly enable dynamic scripts in elasticsearch.yml to use inline or stored scripts. To enable groovy scripting for watches only, you can set script.engine.groovy.inline.xpack_watch: true.

Starting with 5.0, Elasticsearch is shipped with the new Painless scripting language. Painless was created and designed specifically for use in Elasticsearch. Beyond providing an extensive feature set, its biggest trait is that it’s properly sandboxed and safe to use anywhere in the system (including in Watcher) without the need to enable dynamic scripting.