I have the following in my elasticsearch.yml:
xpack.notification.email.account:
work:
profile: test
email_defaults:
from: kibanatest@domain.com
smtp:
auth: false
host: 10.12.11.125
port: 25
and configured the following alert:
{
"metadata": {
"color": "red"
},
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"indices": "winlogbeat-*",
"body": {
"size": 0,
"query": {
"match": {
"level": "Information"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 2
}
}
},
"actions": {
"work": {
"throttle_period": "10m",
"email": {
"to": "someone@domain.com",
"subject": " Encountered {{ctx.payload.hits.total}}" errors",
"body": "Too many Windows Info, see attached data",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"priority": "high"
}
}
}
But no emails are being generated and the logs not showing anything useful.
For some reason running GET on /_xpack/watcher/watch/windows_errors brings the following:
{
"found": true,
"_id": "windows_errors",
"_status": {
"version": 80,
"state": {
"active": true,
"timestamp": "2017-04-30T16:09:31.340Z"
},
"last_checked": "2017-04-30T16:51:37.689Z",
"last_met_condition": "2017-04-30T16:51:37.689Z",
"actions": {}
},
"watch": {
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"match": {
"level": "Information"
}
}
}
}
}
},
"condition": {
"always": {}
},
"actions": {},
"metadata": {
"color": "red"
}
}
}
It seems like it didnt pick up any of the actions.
What did I miss?