Dear Elasticsearch Community,
I'm implementing a monitoring dashboard that needs to display all active watches that have met their alerting conditions within a specific time window but have not returned to a normal state. Essentially, I need to identify watches that are currently in an ERROR state.
Current Implementation Challenge
Based on the Watcher API documentation, I understand that only _id and metadata.* fields are queryable or sortable. This presents a challenge when trying to filter watches server-side using criteria like:
status.state: "active"status.execution_state: "executed" OR "acknowledged"status.last_checked: >= "now-24h"status.actions.last_execution.status: "executed_with_errors"
Currently, I'm implementing this by:
- Fetching all watches using
GET /_watcher/watch/_all - Applying the filtering logic in my application code
My Question
Is there a more efficient way to query watches based on their execution state and alerting conditions directly through the API? I'm looking for a solution that:
- Doesn't require fetching all watches and filtering client-side
- Can specifically identify watches that met conditions but haven't cleared
- Allows filtering by time window (e.g., watches that triggered in the last X hours)
Does Elasticsearch provide any advanced querying capabilities for watches that I might have overlooked? Or are there best practices for efficiently monitoring watch states at scale?
Thank you for your time and expertise.
Regards, Santiago