We are having difficulty getting watches to locate data in the correct timezone. We can get the watches to "execute" within the proper timezone, but the execution of the watch never seems to find the data match the criteria. For test purposes we have created a standalone query (executed via curl) with the exact same query in it. This "curl" query matches on the criteria, but the watch does not.
Here's the query portion of the script we use via curl:
{
"size": 0,
"aggs": {
"Fatal_errs" : {
"terms": { "field": "host" }
}
},
"query": {
"filtered": {
"query": {"match" : {"Error" : "FATAL ERROR"}},
"filter": {
"range": { "@timestamp": { "gt" : "now-'"$intv"'" }}
}
}
}
}'
This finds and aggregates the fatal errors by host for the interval we feed it, if there are fatal errors in the stored events for the range.
This is the watch setup
"search" : {
"request" : {
"indices" : [ "<abcd-{now\/d}" ],
"types" : [ "abcdefg-systemErr" ],
"body" : {
"size": 0,
"aggs": {
"Fatal_errs" : {
"terms": { "field": "host" }
}
},
"query": {
"filtered": {
"query": {"match" : {"Error" : "FATAL ERROR"}},
"filter": {
"range": { "@timestamp": { "gt" : "now-2m" }}
}
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
This never matches (result.condition.met is always false), even when the manual script does match. We've tried add a timezone parameter ("time_zone": "-04:00" after the range, but still no match.
So - question is........how does one get a watch to operate in the timezone that you wish it to?
I would expect consistency in the way queries operate in the ES environment regardless of what utility they execute from.