Variable to store list of recipient addresses for Elastic Watcher

Hi Team,

In our production setup, we have multiple watcher alerts (around 100), having different sets of recipient email addresses. Now if there is any requirement from the client to update the list, we need to edit 100 watcher scripts which is not a good solution.

Is there a way like an environment variable in watcher scripting? So that if we need to change/update anything in the list, we just need to update that variable and all the watcher scripts will then fetch the updated list from there. No need to edit 100 scripts.

Please guide!

Souvik could make an Elasticsearch index of the email addresses, driven by a key of some kind and then in your Watch you could load that index as a subsearch within a chained input. An example of a chain input and a lookup (albeit for a different use-case) can be seen here: example watch with a lookup table of thresholds per term · GitHub

Then, you can merely modify the email addresses in the lookup index as necessary.

1 Like

Or I guess more simply you can define/edit Watches via the API and use some variables in some scripting language that is making the API calls :smiley:

1 Like

Hi @richcollier , thanks for the suggestions, let me work on this. will share the outcome.

Thank you so much @richcollier, Your suggestion worked!!
Created an index consisting of recipient lists and then used that in the chained input of the watches.
Below are the steps of my success.

		  "first": {
			"search": {
			  "request": {
				"search_type": "query_then_fetch",
				"indices": [
				"rest_total_hits_as_int": true,
				"body": {
				  "size": 0,
				  "query": {
					"bool": {
					  "minimum_should_match": 1,
					  "should": [
						  "match_phrase": {
							"org": "abc"
				  "aggs": {
					"emails": {
					  "terms": {
						"field": "email.keyword",
						"size": 1000

And used {{ctx.payload.first.aggregations.emails.buckets.0.key}} instead of hard coded email ids and it worked!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.