Include entire query result in Watcher email

I am attempting to include all fields from my search query results in an watcher email, currently I can only see what I am matching directly in my query.

{

  "trigger": {

    "schedule": {

      "interval": "90s"

    }

  },

  "input": {

    "search": {

      "request": {

        "search_type": "query_then_fetch",

        "indices": [

          "wazuh-alerts-3.x-*"

        ],

        "rest_total_hits_as_int": true,

        "body": {

          "size": 1000,

          "query": {

            "bool": {

              "must": [

                {

                  "match": {

                    "syscheck.tags": "1234"

                  }

                },

                {

                  "range": {

                    "timestamp": {

                      "gte": "now-90s",

                      "lte": "now"

                    }

                  }

                }

              ]

            }

          }

        }

      }

    }

  },

  "condition": {

    "compare": {

      "ctx.payload.hits.total": {

        "gte": 1

      }

    }

  },

  "actions": {

    "send_email": {

      "email": {

        "profile": "standard",

        "attachments": {

          "attached_data": {

            "data": {

              "format": "json"

            }

          }

        },

        "priority": "high",

        "to": [

          "yellow@gmail.com"

        ],

        "subject": "Arbitrary Email Subject ",

        "body": {

          "text": "See attached JSON file for details"

        }

      }

    }

  }

}

The attached_data will always only contain the data that was returned by your query. In this example 1000 documents. There is no way, that it will return more data.

In addition, email is probably not the best way to send potentially millions of documents somewhere. Maybe just execute a scroll search by yourself?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.