How to get report of before and after 5 lines of log when message match = my-error to my email in x-pack in elasticsearch in plain text format

PUT _xpack/watcher/watch/log_error_watch
"trigger" : { "schedule" : { "interval" : "10s" }},
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"bool" : {
"must" : [
{ "match" : { "message": "error" }},
{ "range" : { "result.execution_time" : { "from" : "now-10s" }}}
"condition" : {
"compare" : { "" : { "gt" : 0 }}
"actions" : {
"email_admin" : {
"email": {
"to": "John Doe",
"attachments" : {
"data.yml" : {
"data" : {
"format" : "yaml"

Here I want to get before and after 5 lines and only when the message matches error in email using x-pack in elasticsearch in the form of plain text format. Please, anyone, help me here.

You can put together something like this using the Search transform to query for logs within a time bound around the timestamp on the error message, say +/- 5 seconds using a range query. Getting exactly 5 lines before and after is a bit more difficult. You might be able to trim the results with a Script transform as part of a Chain transform, though, if it's critical.

@gbrown thanks for you replay. Can you please provide code for +/-5 sec. I've requirement like above.

@gbrown please give me the code for after matching the message. I'nt once match the pattern message display before and after +/-5 lines of the error match lines to be print . and let me how to get report to my mail. Please tell me any one .

@here some one help me above my problem. please.


I think the tough part here is to come up with a definition of what 5 lines above or below something means. This could mean you want the same five lines in the same logfile, but if it is a syslog file, those messages might actually be from a completely different service. If it is from an apache log, those next lines might be from a completely different IP address. So you need to define first for yourself what exactly this means. Do you want to filter by IP, by host, by service, by log level. And only after doing this one can come up with a query.

This is also the reason, why it is super hard for anyone external to your usecase to come up with concrete queries.

Hope this helps.


1 Like

Yes. I'm monitoring both syslogs as well as apache, JBOSS and my app logs. Can you please provide the x-pack notification script.

@here some one help me.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.