Watchers: querying for multiple strings in timeframe

Elastic Stack Elasticsearch
1

Hi everyone,

I've been working to get a watcher configured that will look for either of two options on text in a fields, in ths case message.
Of all those, I'd want to alert if any of them happened in the last, say, thirty minutes.

I have a number of tries, currently:

{
     "trigger": {
       "schedule": {
         "interval": "30m"
       }
     },
     "input": {
       "search": {
         "request": {
           "body": {
             "size": 5,
             "query": {
               "bool": { 
                 "should": [
                   { "match": { "message": "match1" }},
                   { "match": { "message": "match2" }}
                 ],
                 "filter": [
                   { "range": { "@timestamp": { "gte": "now-30d" }}}
                 ]
               }
             }
           },
           "indices": [
             "wso2ei-errors-*"
           ]
         }
       }
     },
     "condition": {
       "compare": {
         "ctx.payload.hits.total": {
           "gte": 1
         }
       }
     },
     "actions": {
       "my-logging-action": {
         "logging": {
           "text": "There are {{ctx.payload.hits.total}} documents in your index. Threshold is 10."
         }
       }
     }
   }

I have gotten >10000, 0 or a few hundred results. When searching in Discover, I get 21. After a day of trying, I am completely confused as to why that might be... I've tried message.raw, along with several different types of queries.

If anyone has any clues as to what might help solve this, I'd be very happy!

Thanks in advance :slight_smile:

2

your search in discover was very likely different. can you paste how it looked like?

Note that having a should query like this without a must part, this will be treated as an OR query. match1 OR match2.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.