I'm trying to configure an Elasticsearch Watcher Watch to alert on certain messages, but I'm unable to get my search input to work. I tried using both Sense and elasticsearch-watcher-py, but Watcher always returns a "parse_exception".
est.watcher.put_watch(
id='a1b_error',
body={
# run the watch every night at midnight
'trigger': { 'schedule': { 'daily': { 'at': 'midnight' }}},
'condition': { 'script': { 'inline': 'ctx.payload.hits.total > 0' } },
'input': {
'search': {
'requests': {
'indices': ['logstash-*'],
'body': {
'query': {
'bool': {
'must': [
{ 'match': { 'Projekt': 'ourproject' }},
{ 'match': { 'Modus': 'production' }},
{ 'match': { 'facility': 'somebackend.log' }},
{ 'wildcard': { 'message': 'SOMEERROR*' }},
{ 'range': { '@timestamp' : { 'gte': 'now-30d', 'lt': 'now' }}}
]
}
}
}
}
}
},
'actions': {
'log' : {
'logging' : {
'test': 'Watch triggered!'
}
}
}
}
)
Using elasticsearch-py and the exact same search query it returns 186 results just fine, but Watcher keeps returning a status 400 and a parse_exception with the reason "could not parse [search] input for watch [testwatch]. unexpected token [START_OBJECT]"
As someone on the elastic forum pointed out to me, it was merely a typo.
'requests': {
should really be
'request': {
Also, for completeness sake, there's an error in my action, the following would be correct.
'actions': {
'log' : {
'logging' : {
'text': 'Watch triggered!'
}
}
}