Creating a Watcher Rule

Elk_huh · March 10, 2020, 7:39pm

I am new to watcher rules and need some guidance

How do i write a watcherrule to

Look at an index at a specific field to see if a value = B

If value = B

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "match": {
              "beat.version": "6.2.4"
            }
          }
        }
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "email"
        ],
        "subject": "found beats version",
        "body": {
          "html": "found beats version"
        }
      }
    }
  }
}

I have this but its not working as expected

spinscale · March 12, 2020, 10:38am

This looks good, but one step is missing. You only want to sent that email, if you really found any hits. This needs to be put into a condition, probably a script condition. See https://www.elastic.co/guide/en/elasticsearch/reference/7.6/condition.html

system · April 9, 2020, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.