Unable to forward watcher alert to index with all details

aditi_salunke · March 23, 2021, 6:46am

{
  "trigger": {
    "schedule": {
      "interval": "15m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "##selective index##"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": """(lucene query)""",
                   }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m/m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "not_eq": 0
      }
    }
  },
  "actions": {
    "index01": {
      "index": {
        "index": "##selected index for watcher alerts##"
      }
    }
  }
}

**though the watcher alert is firing not able to see in the index, **

yctercero · March 23, 2021, 10:50pm

Hi @aditi_salunke !

Just wanted to double check, is this related to the SIEM/Elastic Security app? If not, it may be best to tag with #stack-alerting .

Best,
Yara

aditi_salunke · March 24, 2021, 5:54am

Hi @yctercero ,

Thanks for the help .

system · April 21, 2021, 5:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.