Hi Dennis,
Your query is currently setup to search across all time, so once you have one record in the system that matches, you will get a match every time the query executes. You can use simple date math in the query portion to filter just to recent documents.
Here's a slightly modified watch I used in the recent Watcher Webinar. Note the way the query section is written - I filter the results to just the results that occurred in the last 25 seconds. In this case, I setup a slightly larger time range for my query than I do for my trigger interval, just to make sure I don't miss anything that might have been in-flight on it's way into ES.
PUT _watcher/watch/twitter_watcher_mention
{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"indices": [ "logstash-*" ],
"body": {
"query": {
"filtered": {
"query": {
"match_phrase": {"message": "my_event_to_match"}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-25s"
}
}
}
]
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log" : {
"logging" : {
"text" : "There were {{ctx.payload.hits.total}} Tweets at {{ctx.execution_time}}"
}
}
}
}