Hi,
I want to specify an advanced watch with an alternative input. Right now I am matching all logs in the syntax, but i just want to match fileset.name = firewall
I'm an elastic beginner and so I'm not very familiar with the JSON structure 
Can somebody give me the syntax for "Alternative input"? 
Hi @zangero98, to clarify the UI you're looking at is for simulating the watch that you're defining. The specific "Alternative input" text box from your screenshot is for "faking" the input that would be returned by your definition of the watcher input field. This can be any JSON object you like. The purpose of this UI is to experiment with the watch and see how it behaves under in different user-defined scenarios.
However, it doesn't sound like this is quite relevant to your goal. You said you're matching all logs, and you want to define a condition so you only match a subset of those logs. This sounds like you want to define a search for the input field, in which you can write the Elasticsearch query for retrieving logs that match your condition. Here are the docs on how to define a search for the input field: Watcher search input | Elasticsearch Guide [7.15] | Elastic.
Here is where you can get started learning how to define filters in your query: Query and filter context | Elasticsearch Guide [7.15] | Elastic
Does this help?
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.