Sorry for the misunderstanding - I thought originally you were looking for information on the search input for a Watch. If you're looking for information on options for the range query, you can find it here - it is a core feature of the elasticsearch query DSL, not just a feature of a watch.
Taking a harder look at your setup, you should modify your query clause to look like this:
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-3m"
}
}
},
{
"term": {
"message": "404"
}
}
]
}
}
In other words, do a term filter.
Another thing to double check is that your time field in your index truly is @timestamp instead of other possibilities (like just plain timestamp)
Finally, to take any possible setup issues related to the email notification out of the picture, you can add the following logging action in addition to the email:
"actions": {
"log": {
"logging": {
"level": "info",
"text": "Watcher Notification from {{ctx.payload.hits.hits.0._source.beat.name}} - Found {{ctx.payload.hits.total}} 404 errors in the logs"
}
},
"send_email": {
"throttle_period_in_millis": 180000,
"email": {
"profile": "standard",
"from": "shengyongp@oupeng.com",
"to": [
"PeiShengyong shengyongp@oupeng.com",
"DuanWei weiduan@oupeng.com"
],
"subject": "Watcher Notification from {{ctx.payload.hits.hits.0._source.beat.name}}",
"body": {
"text": "Found {{ctx.payload.hits.total}} 404 errors in the logs"
}
}
}
},
So that the text of the watch results simply show up in the elasticsearch.log file.
Hope that helps!