Timestamp range in watcher doesn't work

Hello,

I added the watcher in Kibana manually. I am not sure where to add mappings to enable _timestamp.

Below is my watcher: Which return's nothing. All I added is
"range": {
"_timestamp": {
"gt": "now-5m"
}
}

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ,
"types": ,
"body": {
"size": 5,
"query": {
"bool": {
"must": [
{
"range": {
"_timestamp": {
"gt": "now-5m"
}
}
},
{
"terms": {
"appName.keyword": [
"fuse-file-management-general"
]
}
},
{
"terms": {
"level.keyword": [
"ERROR",
"INFO"
]
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 10
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"attachments": {
"log.json": {
"data": {
"format": "json"
}
}
},
"priority": "high",
"to": [
"saradac@x.com"
],
"subject": "{{ctx.payload.hits.hits.0._source.level}} | {{ctx.payload.hits.hits.0._source.hostname}}",
"body": {
"html": "ELK Monitoring
Issue with Application : {{ctx.payload.hits.hits.0._source.appName}}
Error Message :
{{ctx.payload.hits.hits.0._source.json_message}}"
}
}
}
}
}

What version are you using? For the target indices, did you check that _timestamp is a valid date field (GET /indexname/_mapping/fields/_timestamp)?

_timestamp was a 2.x deprecated mapping feature that would make elasticsearch insert a timestamp when the document was created or updated. It was removed in 5.x. Where you possibly thinking of @timestamp, the common field logstash and beats use?

I’d also recommend you set the indices the watch will be searching on.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.