Watcher time filter problem

I have a watcher checking if somebody is making ssh bruteforce... I run the Hydra to generate some logs... and the watcher find it and send me emails correctly. The problem is that it's never stop sending me emails... So I read this post: How do I setup watcher to only alert on new messages? and change my query, but the error persist...

Here is my watcher snippet:

curl -XPUT 'http://localhost:9200/_watcher/watch/ssh_bruteforce' -d '{
  "trigger" : {
    "schedule" : { "interval" : "30s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_administrator" : {
      "throttle_period": "30s", 
      "email" : { 
        "to" : "email@gmail.com",
        "subject" : "[Watcher]Posible ataque de fuerza bruta a SSH",
        "body" : "Demasiados intentos fallidos para por SSH.",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}'

The time filter is not working... The watcher send me an email each 30 seconds...

Thanks!

Pretty sure "throttle_period" shouldn't be under the "actions" section, eg https://www.elastic.co/guide/en/watcher/current/watching-marvel-data.html#watching-cluster-health

Thanks for the reply! I change this line place, but the problem is the filter... Is finding hits from 2 days ago, and I need 5 minutes ago...

       "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }

What's the correct way to filter only newest hits for specific event?

Thanks!

I find out that the problem is the filter.

"query" : {"match" : {"message": "*Too many authentication failures*"}},

This is'nt finding the literal string with wildcards, is finding any word in the string... Match for authentication, or failures, or many.... However, in the kibana that search work fine...

I solved changing the "match" by "match_phrase" and now, the search is exact.

Thanks!

I spent 5 hours trying to get this working, thanks for posting your answer - solved it for me immediately.