I'm trying to evaluate watcher as a replacement for an application that monitors our syslog. This is probably the biggest use case for watcher out there.
I need to match multiple specific strings (in separate watches) and then alert on them.
I've set up a simple watch to match for a condition but i get back not only the condition I'm looking for but an attachment with several other conditions in. Is this how watcher works? I guess I've made a mistake somewhere. Here's my watch configuration. Can anyone recommend what i can do to get it working?
Here is the watch:
curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
"trigger" : {
"schedule" : { "interval" : "10s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "logstash-2015.**.**" ],
"body" : {
"query" : {
"match" : { "message": "alloc: /backup: file system full" }
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"send_email" : {
"email" : {
"to" : "me@me.com>",
"subject" : "Filesystem Warning from Watcher",
"body" : "TEST MESSAGE: /backup: file system full",
"attach_data" : true
}
}
}
}'
I’m unable to share the attached file due to the nature of its contents.
Email works ok.
Thanks for any pointers you can give me.