Hi,
Attached herewith is my watcher script to ingest all hits into an index and email action every hit.
Currently I am able to do that to only for the first result/first hit using the following piece of code
""transform": {
"script": {
"source": "['message': ctx.payload.hits.hits.0._source ]",
"lang": "painless"
}
}"
But what i want is to perform the action on all hits instead of just the first.
Following in my watcher script:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"message": "match1"
}
},
{
"match": {
"message": "match2"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-600m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"index_payload": {
"transform": {
"script": {
**"source": "['message': ctx.payload.hits.hits.0._source ]",**
"lang": "painless"
}
},
"index": {
"index": "access_testing_index",
"doc_type": "_doc",
"execution_time_field": "timestamp"
}
},
"email_admin": {
"email": {
"profile": "standard",
"from": "blahhh",
"priority": "high",
"to": [
"blahhhhh"
],
"subject": "Siren Alert ALARM {{ payload._id }}",
"body": {
"text": "Series Alarm {{ payload._id}}: {{ payload.myvar }}"
}
}
}
}
}