Hi I am setting up watcher alerts with multi match criteria .I am getting more than 2400+ count but when use the same multi filter criteria in the discover log section i am getting 113 count.
not sure where exactly i am missing . i am using timestamp query with now-4 hr. please advise.
below is the Json
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"json-data*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"record.dataAssetName": "prod/data/*"
}
},
{
"match": {
"record.is_manifest": "True"
}
},
{
"match": {
"record.status": "Success"
}
},
{
"range": {
"@timestamp": {
"gte": "now-4h"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 35
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"srajus@gmail.com",
"srajus12345@gmail.com"
],
"subject": "Watcher Notification",
"body": {
"text": "SLO has been breached .As of now total {{ctx.payload.hits.total}} reports completed . "
}
}
}
}
}```