Watcher matching isn't working - any help?

Elastic Stack Elasticsearch
1

I'm trying to evaluate watcher as a replacement for an application that monitors our syslog. This is probably the biggest use case for watcher out there.

I need to match multiple specific strings (in separate watches) and then alert on them.

I've set up a simple watch to match for a condition but i get back not only the condition I'm looking for but an attachment with several other conditions in. Is this how watcher works? I guess I've made a mistake somewhere. Here's my watch configuration. Can anyone recommend what i can do to get it working?

Here is the watch:

curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{
  "trigger" : {
    "schedule" : { "interval" : "10s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-2015.**.**" ],
        "body" : {
          "query" : {
            "match" : { "message": "alloc: /backup: file system full" }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} 
  },
  "actions" : {
    "send_email" : {
      "email" : {
        "to" : "me@me.com>",
        "subject" : "Filesystem Warning from Watcher",
        "body" : "TEST MESSAGE: /backup: file system full",
        "attach_data" : true
      }
    }
  }
}'

I’m unable to share the attached file due to the nature of its contents.

Email works ok.

Thanks for any pointers you can give me.

2

The match query will match if any of the terms occur in a document with the message field. You can set the operator option on the match query to and, so that all all terms are required to match.

But I think you're looking for a phrase match instead? Then you should try out the match_phrase query instead.

3

Hi,

I changed it to match_query and it worked! Thanks very much.

I have a question on how to only alert (with watcher) on new matches but I'll raise another topic for it.

Regards

Dennis