Watcher Help

Hi all,

I have been going in circles for hours trying to get a watcher working. I am trying to pick up a payload and send it via webhook to a remote server.

The code below gives be an error on the very last curly brace of the code saying Expected ',' instead of ' '

I have tried everything that I can think of (I am not developer just an end user so struggling a fair bit!). Any help would be greatly appreciated.

  "trigger": {
    "schedule": {
      "interval": "1m"
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
           "query": {
    "bool": {
      "must": [
          "query_string": {
            "query": "\"Australia\"",
            "analyze_wildcard": true,
            "default_field": "*"
          "match_phrase": {
            "entity": {
              "query": "Cyber Security"
        "indices": [
  "condition", {
    "compare": {
      "": {
        "gte": 0
  "actions", {
    "my-logging-action": {
      "logging": {
        "text": "There are {{}} attack indicators."
"actions" , {
  "my_webhook" : { 
    "throttle_period" : "5m", 
    "webhook" : {
      "method" : "POST", 
      "host" : "http://X.X.X.X/php/catch.php", 
      "port" : 9200, 
      "path": ":/{{ctx.watch_id}", 
      "body" : "{{ctx.watch_id}}:{{}}" 

Can anyone assist?

I wonder if Elastic have thought about making the set-up of Watchers easier? It is not user friendly at all, unless you are technically proficient in writing JSON files from scratch, which most people I know in an Op's type capacity are not.

Sentinl have a really user friendly way of setting up Watchers. You can select the set Watcher options on any search you do and it pre-configures most of the code for you.

Just a thought.

Note, that this is a forum, which is not bound to any SLA, so please respect that there is no enterprise grade support over here.

If you try the above snippet against any JSON parser (like an online one or a CLI tool like jq), you will immediately get an error where the JSON is invalid, helping you to pinpoint the problem. In this case I would highly assume, that you have not properly closed your query based in your indentation.

Also, there is a watcher UI available and a helper UI tool to create simple watches, which you may want to check out as well.


Hi Alexander,

Thank you for your response, much appreciated. I understand this is a discussion forum and it is not a support forum.

The X-Pack package has a JSON editing tool, is that what you mean by parser?

Do you happen to know what the UI helper tool is called? We have a number of clients who want to use X-Pack to send alerts via webhook to a remote server but they will not want to have to write a JSON each time. It is not user friendly at all.

the dev-tools console is one example as a parser, but also the tools I mentioned or an online parser like where you can just paste your JSON into to check whether it is valid.

What I was referring to, was the threshold alert UI, which you can find when you create a new watch

Hi Alex,

Thanks again, much appreciated.

I was just using that JSON pasrser you linked to. :slight_smile:

Unfortunately they all tell me the same thing that the X-Pack one does, which for a non-techy like me doesn't help me.

I was trying to use the Threshold Alert you posted above but there doesn't appear to be a way to make it trigger on something specifc, such as a keyword appearing in a log file etc. Unless I missed something?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.