I want to make a Watch that compares hardware alerts with open support tickets and if no matching ticket exist, perform an action such as using webhook to forward data to Logstash or send a API call to my ticket system using webhook.
This first part of the query would retrieve all the
device-id fields from the
errors index over say the past 24 hours. In the second part of the chain I want to compare that data with my incidents index. The
incidents index will have fields such as
status. If there is a matching device-id and error with status == open then the result should be dropped. Documents that have no match (no existing ticket yet) should be send to webhook action so I can use Logstash to send an email for each document. O
The reason I plan on using Logstash is that to my understanding Watcher doesn't loop the action part so it cannot perform a email action on each document that would match the query.
This has me worried the same may apply for Watcher in general. So if my query would return multiple device-id's with errors, it won't apply the status:open check for each document.
Would something like what I'm describing be achievable within a single Watch?