Hello, I am trying to match multiple fields in a single index for my watcher alert and having some difficulties doing that.
My watcher looks like:
{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index123"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now"
}
}
}
],
"must": {
"match": {
"LogLevel": "ERROR"
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"level": "info",
"text": """{{ctx.payload.hits.total}} Errors have occured in the logs
:{{#toJson}}ctx.payload.hits.hits{{/toJson}}"""
}
},
"email_administrator": {
"email": {
"profile": "standard",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"from": "user123@testcompany.com",
"to": [
"user456@testcompany.com"
],
"subject": "Test Application encountered {{ctx.payload.hits.total}} in the last 15 minutes",
"body": {
"text": "{{ctx.payload.hits.total}} Errors have occured in the logs "
}
}
}
},
"throttle_period_in_millis": 900000
}
The above wathcher is working and sending email as expected.
But now, I also want to match it against one more field called as tags along with the "LogLevel" field and create an alert :
"match": {
"tags": "test_env"
}
and I am having problems in this.
How can I match against multiple fields in the same index and create an alert?