Adding/editing fields through watcher

seanziee · March 7, 2017, 7:14pm

So I've made a watch that has an update by query, but the main issue with this is that I then have to have two queries in the same watch which is a bit too unwieldy for me (I have to be making these watches daily and it seems redundant to have to change several parts of the watch for the same change).In other word, for the update on query, I need to query a second time because it doesn't seem to interact with the input data to the watch at all.

In my head, I want to do two things: input documents that match a query then change one field in those documents. But this isn't as easy as I thought it would be. Especially because it feels like the documentation is all over the place with the different languages and the way to call things and insufficient descriptions of how things work. Here's what I've assembled so far. It works but seems redundant:

POST _xpack/watcher/watch/ActiveTagExample
{
  "trigger" : {
    "schedule" : { "interval" : "10s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "<logstash-{now/d}>" ],
        "body" : {
          "_source" : "Summary",
          "query" : {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1d/m"
                    }
                  }
                },
                {
                  "match_phrase" : { "Summary": "Message of error123"
                  }
                }
              ]
            }
          }
        }
      }
    }  
  },
  
  "condition" : {
    "compare" : { 
      "ctx.payload.hits.total" : { "gt" : 0 
      }
    }
  },
  "actions" : {
    "ActiveTagger" : {
      "webhook" : {
      "method" : "POST",
      "host" : "localhost",
       "port" :9200,
      "path" : "/{{ctx.payload.hits.hits.0._index}}/_update_by_query",
      "body" : "{\"script\" : {\"inline\": \"ctx._source.tags = 'TAGGED' \"}, \"query\": {\"bool\": {\"must\": [{\"query_string\": {\"query\": \"Summary:'Message of error123'\"}}]}}}"
      }
    }
  }
}

If I take away the query part of the _update_by_query, then every document in ES gets changed vs just the ones I've inputted. In other words if I take this away:

 \"query\": {\"bool\": {\"must\": [{\"query_string\": {\"query\": \"Summary:'Message of error123'\"}}]}}}

After reading a lot of documentation, I still have no idea the use of transform. Does it have a use here? Or what is it used for? Or maybe I can have one params go across the whole watch? Any suggestions to make this easier would be tremendously appreciated

Topic		Replies	Views
Updating/Editing field in ES index using Watcher Elasticsearch elastic-stack-alerting	1	601	January 10, 2019
Update all documents that were matched against the query in the watcher as part of the watcher action Elasticsearch elastic-stack-alerting	5	1410	November 21, 2017
Can 'Index action' update the documents that satisfy condition of watch? Elasticsearch elastic-stack-alerting	1	886	July 6, 2017
Help with Advanced Watcher Elasticsearch elastic-stack-alerting	3	406	December 30, 2019
Alerting passing from Fired==>OK Elasticsearch elastic-stack-alerting	9	520	May 4, 2020

Adding/editing fields through watcher

Related topics