Watcher Parse Exception Unknown Input Type Condition

Elastic Stack Elasticsearch
1

When trying to create a watch I'm receiving:
Watcher: [parse_exception] could not parse input for watch [watch name]. unknown input type [condition]

I have put the below in a JSON formatter to help ensure validity.

My Watcher:

{  
    "trigger":{  
        "schedule":{  
            "interval":"5m"
        }
    },
    "input":{  
        "search":{  
            "request":{  
                "indices":"my_index_name*",
                "body":{  
                    "query":{  
                        "bool":{  
                            "must":[  
                                {  
                                    "query_string":{"query":"fieldName:(\"1234\" OR \"5678\") AND fieldName2:*Password*"}
                                },
                                {  
                                    "range":{  
                                        "@timestamp":{  
                                            "from":"now-24h",
                                            "to":"now"
                                        }
                                    }
                                }
                            ]
                        }
                    }
                }
            }
        },
        "condition":{  
            "compare":{  
                "ctx.payload.hits.total":{  
                    "gt":0
                }
            }
        },
        "actions":{  
            "reminder_email":{  
                "email":{  
                    "profile":"standard",
                    "to":[  
                        "some_guy@domain.com"
                    ],
                    "subject":"Adverse Stuff",
                    "body":{  
                        "text":"Dear {{ctx.payload.name}}, Adverse stuff may have been configured. Please investigate."
                    }
                }
            }
        }
    }
}
2

your JSON is not correct because your condition is inside the input .

Correct version :

{
    "trigger": {
        "schedule": {
            "interval": "5m"
        }
    },
    "input": {
        "search": {
            "request": {
                "indices": "my_index_name*",
                "body": {
                    "query": {
                        "bool": {
                            "must": [
                                {
                                    "query_string": {
                                        "query": "fieldName:(\"1234\" OR \"5678\") AND fieldName2:*Password*"
                                    }
                                },
                                {
                                    "range": {
                                        "@timestamp": {
                                            "from": "now-24h",
                                            "to": "now"
                                        }
                                    }
                                }
                            ]
                        }
                    }
                }
            }
        }
    },
    "condition": {
        "compare": {
            "ctx.payload.hits.total": {
                "gt": 0
            }
        }
    },
    "actions": {
        "reminder_email": {
            "email": {
                "profile": "standard",
                "to": [
                    "some_guy@domain.com"
                ],
                "subject": "Adverse Stuff",
                "body": {
                    "text": "Dear {{ctx.payload.name}}, Adverse stuff may have been configured. Please investigate."
                }
            }
        }
    }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.