DateMath in Watcher Definition for Index name

Andrew_Riley · October 30, 2019, 4:28pm

I'm trying to set up a watcher that searches a filebeat index with a date in the name.

The watcher itself is executing, but not firing, and I'm concerned that it's because the index isn't being resolved correctly.

The indices name is defined as

<filebeat-*-{now/d}>

When retrieving the watcher via the GET /_xpack/watcher/watch/name/ or POST /_xpack/watcher/watch/name/_execute endpoint, the index name isn't translated, but still appears as <filebeat-*-{now/d}>.

Is there something wrong with this set up?

spinscale · October 31, 2019, 12:55pm

This is ok and expected. it will only be translated once the search is executed on the elasticsearch side when the watch executes.

Andrew_Riley · October 31, 2019, 4:43pm

Thanks, that at least means what I'm seeing isn't wrong. And it does seem to be working now that I've widened some search parameters.

system · November 28, 2019, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher: dynamic index name does not work Elasticsearch elastic-stack-alerting	7	1718	June 28, 2017
Dynamic date passing in indices in watcher Elasticsearch elastic-stack-alerting	7	1537	December 21, 2016
Date math index name throwing error in Watcher input Elasticsearch elastic-stack-alerting	2	720	January 12, 2022
WatcherのIndex Actionで、Index名を可変にする方法がないか Elasticsearch elastic-stack-alerting	5	1114	July 2, 2019
Index name date math with wildcard? Elasticsearch elastic-stack-alerting	11	3010	July 6, 2017

DateMath in Watcher Definition for Index name

Related topics