Okay I think I'm getting there.
I have a search request that gives the desired value (not perfect but this will do for testing).
GET _search?
{
"query": {
"bool": {
"must" : {
"match": {
"host": "1.1.1.1"
}
},
"filter": {
"range" : {
"@timestamp": {
"gte": "now-1M/M",
"lte": "now"
}
}
}
}
},
"aggs" : {
"total_usage" : { "sum" : { "field" : "netflow.in_bytes"} }
},
"size": 0
}
But if I put it into a watch and simulate it I get "Watcher: [parse_exception] could not parse watch execution request. unexpected token [VALUE_STRING]".
I can't figure out what is wrong because it appears similar to the examples.
{
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"indices": [ "netflow-*" ],
"types": "netflow",
"body": {
"query": {
"bool": {
"must" : {
"match": {
"host": "1.1.1.1"
}
},
"filter": {
"range" : {
"@timestamp": {
"gte": "now-1M/M",
"lte": "now"
}
}
}
}
},
"aggs" : {
"total_usage" : { "sum" : { "field" : "netflow.in_bytes"} }
},
"size": 0
},
"condition": {
"compare": {
"ctx.payload.total_usage": {
"gte": 10000000
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"text": "Limit exceeded."
}
}
}
}
}
}
}