Dynamic date passing in indices in watcher

Elastic Stack Elasticsearch
1

Hi,

I am new to ELK setup, I am trying to create watcher for regular monitoring. I am unable to pass date as dynamic in watcher. Can you please help me how to fix this.

PUT _xpack/watcher/watch/test
{
"trigger" : {
"schedule" : { "interval" : "7200s" }
},
"input" : {
"search" : {
"request" : {
"indices" : ["%3Cfilebeat-%7Bnow%2Fd%7D%3E"],
"body" : {
"query" : {
"match" : { "message": "testing" }
}
}
}
}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "",
"subject" : "Found Exceptions in logs",
"body" : "Logs are showing Exceptions",
"attach_data" : true
}
}
}
}

Indices field is not taking the dynamic date format.,

2

Hey,

have you tried not URL encoding it? The search input does not require this.

--Alex

3

Hey Alex,

I tried like this [ filebeat - {now/d}], it is also not working. I tried with filebeat-* it worked. if I use * will it run for all days indices or not

-Sankar

4

Hey,

that is the wrong syntax, you need to use the <> chars. See the the dath math docs

--Alex

5 
    "indices" : <"filebeat- {now/d}>,

I tried like this also, no luck. If you don't mind can you give me the exact syntax

6

Please sit back and take the time to read the documentation. You literally just have to copy and paste the example and replace logstash with filebeat. I cannot do much more, than pointing you to it. Your example above contains two errors, as it is invalid JSON and contains an unneeded white space.

--Alex

7

Able to figure it out! Thanks

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.