Parameterize Watcher query string

alerting

(Rubaiyat Sadat) #1

I am currently using Watcher and part of it is as follows.

.................
"input" : {
"search" : {
"request" : {
"indices" : [ "<logstash-{now/d}>" ],
"body" : {
"query" : {
"filtered": {
"query": {
"query_string": {
"query": ""rd1*.xml" OR "permissions*.xml" OR "control*.zip" AND
level:ERROR",
"analyze_wildcard": true
}
},
.......

What I would like to achieve is to parametric this part if possible.

"query": ""rd1*.xml" OR "permissions*.xml" OR "control*.zip" AND
level:ERROR"

For example, I have to add another pattern such as "main*.zip", So that I can change the values of the search query, for example, I read the query string from a file and pass it to Watcher input. Any help is really appreciated.


(Alexander Reelsen) #2

Hey,

if you want to change the query, you have to update the watch - I do not see any simpler solution. You could potentially use a chained input and get the query string via a HTTP input from another source, but this sounds quite complicated to me.

If you really need to store the query in a file first, you could use a command line tool like fswatch to trigger a new curl call, that updates the watch in Elasticsearch.

Again this sounds kinda tedious, and it might be easier, to just update the watch from your application, depending on how much coupling you want to do in your application.

Hope this helps,

--Alex


(Rubaiyat Sadat) #3

Thanks Alex for your quick reply. That's also what I have thought so far. The reason why I am looking for a solution is that I would like to create a Watcher template which might read from a file, for example, and change the query and contents of the file will be changed by other interested parties who are not direct users of Watcher. You are certainly right. It is easier to update the watch from the application.

Rubaiyat


(system) #4