Simple watcher syntax help

Elastic Stack Elasticsearch
1

Hi!
I trying my first watcher, and being a newbie I have trouble with the basics.
I'd like to filter out the events for the last 10 minutes, but somewhere I have made (I suppose) a simple syntax error. Anyone can point me in the right direction?

       PUT _watcher/watch/log_critical_watch
    {
      "trigger" : {
        "schedule" : { "interval" : "60s" } 
      },
      "input" : {
        "search" : {
          "request" : {
            "indices" : [ "business" ],
            "body" : {
              "query" : {
                 "match" : { "value.ACTIVITY_DETECTION_STATUS.keyword": "Major" },
                  "filter":{ "range":  { "value.MEASUREMENT_START_TIMESTAMP":{"gte": "now-10m/m","lte":"now/m" }}}
              }
              }
            }
          }
        }
      }
2

Fixed it :slight_smile:

PUT _watcher/watch/log_error_watch
{
  "trigger" : {
    "schedule" : { "interval" : "60s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "business" ],
        "body" : {
          "query" : {
               "bool": { 
      "must": [
        { "match": { "value.ACTIVITY_DETECTION_STATUS.keyword": "Major"}}
        ],
      "filter": [ 
        { "range":  { "value.MEASUREMENT_START_TIMESTAMP":{"gte": "now-10m/m","lte":"now/m" }}}
      ]
    }
          }
        }
      }
    }
  }
}
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.