Hi, moving onto watchers, now I have been trying this configuration (I want to look for the keyword "error" in my indices and if found, generate an OTRS ticket):
The script section in transform is executable code, so you need to return the context to the next section (in your case the webhook section).
Also, notice in that example, the usage of single quotes, not double quotes and square brackets [] instead of curly braces {}
Your search syntax doesn't take time into account. If you want your watch to run every minute, then you should only be looking at the last minute's worth of data. Otherwise, you will always match (or as long as any error exists in your logs for however long you keep them).
Do you really want to look over ALL indices ("*")? This seems like a bad idea. Specify your index name or index pattern of the indices you really want to query.
The username/password in the auth is for the system the webhook is authenticating to (so in your case the ticketing system, not to authenticate with elasticsearch)
Test your watch using Watcher's _exectute endpoint first. Then PUT the watch.
See example below that will get you close to where you need to be. I just posted to an internet webserver that does nothing, only so I can see the format of what is being sent.
Thanks a lot ..yes there were so many errors. This was first time making something like this. Anyways, can we remove the basic auth part, since for me it goes in the url itself?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.