Creating a Watcher Rule

Elk_huh · March 10, 2020, 7:39pm

I am new to watcher rules and need some guidance

How do i write a watcherrule to

Look at an index at a specific field to see if a value = B

If value = B

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "match": {
              "beat.version": "6.2.4"
            }
          }
        }
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "email"
        ],
        "subject": "found beats version",
        "body": {
          "html": "found beats version"
        }
      }
    }
  }
}

I have this but its not working as expected

spinscale · March 12, 2020, 10:38am

This looks good, but one step is missing. You only want to sent that email, if you really found any hits. This needs to be put into a condition, probably a script condition. See https://www.elastic.co/guide/en/elasticsearch/reference/7.6/condition.html

system · April 9, 2020, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch watcher syntax Elasticsearch	2	1055	July 26, 2017
Help writing Watcher Elasticsearch	12	1427	March 15, 2018
Watcher mutilple actions and conditions Elasticsearch elastic-stack-alerting	8	523	November 11, 2019
Watcher elastic query Kibana elastic-stack-alerting	5	294	July 19, 2021
Elasticsearch watcher multiple indices Elasticsearch elastic-stack-alerting	3	724	July 2, 2019

Creating a Watcher Rule

Related topics