i have removed the timestamp as my index do not have it. my bad...
i tried this ---
POST _xpack/watcher/watch/_execute
{
"watch":
{
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"checkpoint*"
],
"types": [],
"body": {
"size": 0,
"query": {
"match_all": {}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "ip is {{ctx.payload.hits.hits.0._source.srcip}} "
}
}
}
}
}