Hi,
Yes, that makes more sense. I'm still looking for a way to provide a "pre-queried" set of logs to the watcher though (or a manually-uploaded list of documents), rather than pointing it at an active index.
It seems that Watcher doesn't directly support this, so the only way I can think of getting this to work is:
- Manually query a test-set of logs using the query / aggs block of the watcher
- Provide this result-set to the watcher using
alternative_input, with simulate mode enabled - Check the expected action was triggered
This will work, it's just a little awkward.
Thanks for your help