Watcher search for feild value in last 1mins

Elastic Stack Elasticsearch
1

I'm having issues getting watcher to work while querying
a time range filter of the previous 5 minutes.

PUT /_watcher/watch/log_error_watch
{

"trigger" : { "schedule" : { "interval" :
"60s" } },
"input"
: {

"search" : {

"request" : {

"indices" : [ "APPINDEX-*" ],

"body" : {

"query" : {

"match" : { "ENCODE": "14310" }},
"filter" : {"range" :
{"@timestamp" : {"gte" : "now-5m"}}}
}
}
}
}
,
"condition" : {
"compare" : { "ctx.payload.hits.total" : {
"gt" : 5 }}
},
"actions" : {
"send_email"
: {

"email" : {

"to" : "brian.gildea@DOMAINNAME.com",

"subject" : "APP Status Warning",

"body": "{{ctx.watch_id}} executed with
{{ctx.payload.hits.total}} hits"

  }

}

}
}

If I remove filter" : {"range" :
{"@timestamp" : {"gte" : "now-5m"}}}, It works fine but it query's the entire index where i want to search only the last 5mins for ENCODE:14310 count greater than 5.
Can anyone help me here?
Thanks

2

Hey,

try using the query part of your watch as a regular query. I think it wont work either. You should use a bool query, that consists of a filter and must part. The filter part contains the timestamp filter and the must part contains the match query.

Always try to make sure, that your query executes and only then create a watch out of it.

Also, please try a better formatting next time by wrapping everything into correct markdown, which makes it much easier to read.

--Alex