Use time filter and field filter in watcher

I want to run a watcher that checks if an error with a specific message is occuring within a specific time range. This is the current custom watch JSON that I made:

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"iburgerzaken-blueriq-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
}
]
},
"match": {
"message": {
"query": "Invalid date format pattern 'DD-MM-YYYY'"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total.value": {
"gt": 0
}
}
},
"actions": {
"email_administrator": {
"email": {
"profile": "standard",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"priority": "high",
"to": [
"email@email.com"
],
"subject": "Error: Invalid date format pattern 'DD-MM-YYYY' has occured {{ctx.payload.hits.total.value}} times",
"body": {
"text": "Alert for error: Invalid date format pattern 'DD-MM-YYYY'. See attached data for in depth information"
}
}
}
}
}

But I'm getting the following error:

"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 85
}
],
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 85
}

Can someone please help me with this?

Sorry, the JSON is not really readable.

Here the watch that I made:
https://pastebin.com/UMTcXAUM

And here the error:
https://pastebin.com/3iaffBVz

Hey,

you need to wrap the match query within the bool query like this

"bool" :{
  "must" : [
    { "match" : ... }
  ],
  "filter" : [
    { "range" : {} }
  ]
}

Thank you, this worked for me!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.