Watcher results returning similar terms instead of specific one

Elastic Stack Elasticsearch
1

I have the following watch

{
  "trigger" : {
    "schedule" : {
      "interval" : "5m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "search_type": "query_then_fetch",
        "indices" : [ "<logstash-{now/d}>"],
        "types" : [ "alerts" ],
        "body" : {
          "sort" : {
            "@timestamp" : {"order" : "desc"}
          },
          "query" : {
            "bool" : {
              "must": {
                "match": {
                  "name": "Info/Alert.A"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.hits.total" : {
        "gt" : 0
      }
    }
  },
  "actions" : {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "account" : "alert",
        "message" : {
          "to" : [ "#watcher-alert" ],
          "text" : "There is an alert!"
        }
      }
    }
  }
}

The watch works, but checking the watcher history, it returns results similar to the term I want to match ("Info/Alert.A"), for example, "Info/Failure!4r" o "Info/Heavy.Root". Why can this be happening or which approach can I take (how can I use wildcards on a Watcher query)?

2

Hey,

this is not a watcher issue, but an issue with your query. When you are using a match query, the terms get split and analyzed so that your query is not an exact match anymore, when you are querying an analyzed field.

If this is on Elasticsearch 5.x, you could try to query the field name.keyword (or name.raw, depends on your mapping) and see if that works instead.

Generally, it is useful to not write your watch first, but test your query, before you copy and paste it into a watch.

You might want to take some time and read this blog post, which explains how to debug watches https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches

--Alex

2 Likes
3

Thanks @spinscale, I will try with that, then. Really thanks for the resource, will be helpful.

I have another question though. I am testing it on Kibana with keyword ("name.keyword": "Info/Alert.A"), which is working, but on the search, the slash isn't being highlighted on the results. Does this affects the query?

4

Not sure i understand that "highlighting" part, but I that feels just like a display issue, and not like a search issue. If the search returns the document that you expect all should be fine.

Feel free to elaborate on that highlighting thing, though!

5

Sure! Sometimes, when you do a search on Kibana (let's say, you put a word you want to look on the entries), the obtained results are shown. So, the word you queried is highlighted in orange on each entry. But it seems this is part of Kibana instead of the query in general.

6

ah, got it. Thats indeed a kibana feature, you can ignore it for watcher.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.