Alex,
I can run the watch from the API
POST _watcher/watch/Nightly_Account_Change_Report/_execute
{
"trigger_data" : {
"scheduled_time": "now"
},
"action_modes" : {
"email_admin":"execute"
},
"record_execution" : true
}
I can also use the Watcher tools in Kibana to Simulate execution of the watch and it performs as expected. Here's the relevant chunk of the Kibana log - it looks like it's generating the reports from the watches correctly:
{"type":"response","@timestamp":"2019-04-18T09:02:54Z","tags":["api"],"pid":6756,"method":"post","statusCode":200,"req":{"url":"/api/reporting/generate/csv?jobParams=(conflictedTypesFields%3A!()%2Cfields%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage)%2CindexPatternId%3A'winlogbeat-*'%2CmetaFields%3A!(_source%2C_id%2C_type%2C_index%2C_score)%2CsearchRequest%3A(body%3A(_source%3A(excludes%3A!()%2Cincludes%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage))%2Cdocvalue_fields%3A!('%40timestamp')%2Cquery%3A(bool%3A(filter%3A!()%2Cmust%3A!((query_string%3A(analyze_wildcard%3A!t%2Cdefault_field%3A'*'%2Cquery%3A'event_id%3A4720%20OR%20event_id%3A4722%20OR%20event_id%3A4723%20OR%20event_id%3A4724%20OR%20event_id%3A4725%20OR%20event_id%3A4726%20OR%20event_id%3A4727%20OR%20event_id%3A4728%20OR%20event_id%3A4729%20OR%20event_id%3A4730%20OR%20event_id%3A4731%20OR%20event_id%3A4732%20OR%20event_id%3A4733%20OR%20event_id%3A4734%20OR%20event_id%3A4735%20OR%20event_id%3A4738%20OR%20event_id%3A4737%20OR%20event_id%3A4740%20OR%20event_id%3A4741%20OR%20event_id%3A4743%20OR%20event_id%3A4744%20OR%20event_id%3A4745%20OR%20event_id%3A4746%20OR%20event_id%3A4747%20OR%20event_id%3A4748%20OR%20event_id%3A4749%20OR%20event_id%3A4750%20OR%20event_id%3A4751%20OR%20event_id%3A4752%20OR%20event_id%3A4753%20OR%20event_id%3A4754%20OR%20event_id%3A4755%20OR%20event_id%3A4756%20OR%20event_id%3A4757%20OR%20event_id%3A4758%20OR%20event_id%3A4759%20OR%20event_id%3A4760%20OR%20event_id%3A4761%20OR%20event_id%3A4762%20OR%20event_id%3A4763%20OR%20event_id%3A4764%20OR%20event_id%3A4767%20OR%20event_id%3A4781'))%2C(range%3A('%40timestamp'%3A(format%3Abasic_date%2Cgt%3A'now-1d'%2Clt%3A'now%2Fd'))))%2Cmust_not%3A!()%2Cshould%3A!()))%2Cscript_fields%3A()%2Csort%3A!(('%40timestamp'%3A(order%3Aasc%2Cunmapped_type%3Aboolean)))%2Cstored_fields%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage)%2Cversion%3A!t)%2Cindex%3A'winlogbeat-*')%2Ctitle%3A'Account%20%26%20Group%20Changes%20--%20AD%20%26%20Member%20Server--Report%20Output%20-%20(adj%20for%20ES%206)'%2Ctype%3Asearch)","method":"post","headers":{"accept-charset":"UTF-8","kbn-xsrf":"reporting","content-length":"0","host":"wines5-infr:5601","connection":"Keep-Alive","user-agent":"Apache-HttpClient/4.5.2 (Java/1.8.0_201)","accept-encoding":"gzip,deflate"},"remoteAddress":"10.1.45.32","userAgent":"10.1.45.32"},"res":{"statusCode":200,"responseTime":625,"contentLength":9},"message":"POST /api/reporting/generate/csv?jobParams=(conflictedTypesFields%3A!()%2Cfields%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage)%2CindexPatternId%3A'winlogbeat-*'%2CmetaFields%3A!(_source%2C_id%2C_type%2C_index%2C_score)%2CsearchRequest%3A(body%3A(_source%3A(excludes%3A!()%2Cincludes%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage))%2Cdocvalue_fields%3A!('%40timestamp')%2Cquery%3A(bool%3A(filter%3A!()%2Cmust%3A!((query_string%3A(analyze_wildcard%3A!t%2Cdefault_field%3A'*'%2Cquery%3A'event_id%3A4720%20OR%20event_id%3A4722%20OR%20event_id%3A4723%20OR%20event_id%3A4724%20OR%20event_id%3A4725%20OR%20event_id%3A4726%20OR%20event_id%3A4727%20OR%20event_id%3A4728%20OR%20event_id%3A4729%20OR%20event_id%3A4730%20OR%20event_id%3A4731%20OR%20event_id%3A4732%20OR%20event_id%3A4733%20OR%20event_id%3A4734%20OR%20event_id%3A4735%20OR%20event_id%3A4738%20OR%20event_id%3A4737%20OR%20event_id%3A4740%20OR%20event_id%3A4741%20OR%20event_id%3A4743%20OR%20event_id%3A4744%20OR%20event_id%3A4745%20OR%20event_id%3A4746%20OR%20event_id%3A4747%20OR%20event_id%3A4748%20OR%20event_id%3A4749%20OR%20event_id%3A4750%20OR%20event_id%3A4751%20OR%20event_id%3A4752%20OR%20event_id%3A4753%20OR%20event_id%3A4754%20OR%20event_id%3A4755%20OR%20event_id%3A4756%20OR%20event_id%3A4757%20OR%20event_id%3A4758%20OR%20event_id%3A4759%20OR%20event_id%3A4760%20OR%20event_id%3A4761%20OR%20event_id%3A4762%20OR%20event_id%3A4763%20OR%20event_id%3A4764%20OR%20event_id%3A4767%20OR%20event_id%3A4781'))%2C(range%3A('%40timestamp'%3A(format%3Abasic_date%2Cgt%3A'now-1d'%2Clt%3A'now%2Fd'))))%2Cmust_not%3A!()%2Cshould%3A!()))%2Cscript_fields%3A()%2Csort%3A!(('%40timestamp'%3A(order%3Aasc%2Cunmapped_type%3Aboolean)))%2Cstored_fields%3A!('%40timestamp'%2Cbeat.name%2Cevent_id%2Ctask%2Cevent_data.SubjectUserName%2Cevent_data.TargetUserName%2Cmessage)%2Cversion%3A!t)%2Cindex%3A'winlogbeat-*')%2Ctitle%3A'Account%20%26%20Group%20Changes%20--%20AD%20%26%20Member%20Server--Report%20Output%20-%20(adj%20for%20ES%206)'%2Ctype%3Asearch) 200 625ms - 9.0B"}
{"type":"response","@timestamp":"2019-04-18T09:03:10Z","tags":["api"],"pid":6756,"method":"get","statusCode":200,"req":{"url":"/api/reporting/jobs/download/jumf2xj2057o8aef8e5u4qdm","method":"get","headers":{"accept-charset":"UTF-8","kbn-xsrf":"reporting","content-length":"0","host":"wines5-infr:5601","connection":"Keep-Alive","user-agent":"Apache-HttpClient/4.5.2 (Java/1.8.0_201)","accept-encoding":"gzip,deflate"},"remoteAddress":"10.1.45.32","userAgent":"10.1.45.32"},"res":{"statusCode":200,"responseTime":18,"contentLength":9},"message":"GET /api/reporting/jobs/download/jumf2xj2057o8aef8e5u4qdm 200 18ms - 9.0B"}