OH YEA! THANKS! It appears that breaking the query params into another element worked!
For posterity, here is a summary of what worked on my aggregation.
PUT http://{{host}}/_watcher/watch/cal_tpv_agg_watch
{ "trigger" : { "schedule" : { "interval" : "3600s" } }, "input" : { "http" : { "request" : { "host" : "elasticserver.dev.mycorp.com", "port" : 9200, "headers": { "Content-Type" : "application/json", "Accept" : "application/json" }, "params": { "search_type" : "count" }, "path" : "/cal-root-2016-03-07/logs/_search", "method": "post", "body" : "{ \"aggs\": { \"tpv\": { \"terms\": { \"field\": \"payload.m_merchant_account_number\", \"order\" : { \"total_volume\" : \"desc\" } }, \"aggs\": { \"total_volume\": { \"sum\": { \"field\": \"payload.usd_amt\" }}}}}}" } } }, "actions": { "log": { "logging": { "text": "Watcher ran {{ctx.watch_id}} at {{ctx.execution_time}} with payload {{ctx.payload}}" } } } }
It is now returning the aggregation response in the watcher response payload.