Watcher keep adding records to the index even when there is no change to the data.
Hey,
please, if you have a question, take some time to actually explain the problem, so others can follow easily. I can just guess what your question is and will maybe answer something completely different. Take your time to read our advice how to make sure, that a forum post is written in a way that others can help you. A one sentence problem description will rarely lead to a perfect solution.
My guess here is, you are talking about the watch_history index or the watch index. In both cases both indices are updated after a watch is run with some information, allowing you to check if the watch was executed and what its state was.
If have no idea what you are refering to with change to the data here, so please elaborate.
Thanks,
--Alex
1 Like
To further elaborate on the problem. I have 3 months worth of firewall logs in the elasticsearch and I have set up a watcher to look at the indices of the the 3 months to create a copy of the log entry in an index if a word like attack exist in the log entry. After starting the watcher I noticed that with no new log entries coming in my index which watcher writes to keeps increase in records. How can I avoid this since I need the log entries with words like "attack" to appear only once in the index written to by watcher
Hey,
it sounds as if your watch query does not include a timestamp to filter only for recently added events. If you add such a filter, you could ensure only new entries are matched by the watch.
--Alex