Hi All,
I have configured a watcher alert that will search a particular query pattern. This is working fine and what i'm trying to achieve is to get the next 4 lines also added to notifications, if the above match is found. Currently we are getting only exact match line in the alert.
Could someone please help on this.
{
"trigger": {
"schedule": {
"interval": "2m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"applications-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 1,
"query": {
"bool": {
"must": [
{
"match": {
"message": {
"query": "[message]",
"operator": "and"
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-3m"
}
}
}
]
}
},
"_source": [
"message",
"beat.name",
"@timestamp"
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_me": {
"email": {
"profile": "standard",
"priority": "high",
"to": [
"test@test.com"
],
"subject": "Test [Message)]",
"body": {
"text": "Message = Test {{ctx.payload.hits.hits.0._source.message}} - {{ctx.payload.hits.hits.0._source.@timestamp}} ] - Please review }"
}
}
}
},
"metadata": {
"color": "red"
},
"throttle_period_in_millis": 900000
}