Create or update a watch | Elasticsearch API documentation (v8)

Create or update a watch Generally available

POST /_watcher/watch/{id}

All methods and paths for this operation:

PUT /_watcher/watch/{id}

POST /_watcher/watch/{id}

When a watch is registered, a new document that represents the watch is added to the .watches index and its trigger is immediately registered with the relevant trigger engine. Typically for the schedule trigger, the scheduler is the trigger engine.

IMPORTANT: You must use Kibana or this API to create a watch. Do not add a watch directly to the .watches index by using the Elasticsearch index API. If Elasticsearch security features are enabled, do not give users write privileges on the .watches index.

When you add a watch you can also define its initial active state by setting the active parameter.

When Elasticsearch security features are enabled, your watch can index or search only on indices for which the user that stored the watch has privileges. If the user is able to read index a, but not index b, the same will apply when the watch runs.

Required authorization

Cluster privileges: manage_watcher

Path parameters

id string Required

The identifier for the watch.

Query parameters

active boolean

The initial state of the watch. The default value is true, which means the watch is active by default.
if_primary_term number

only update the watch if the last operation that has changed the watch has the specified primary term
if_seq_no number

only update the watch if the last operation that has changed the watch has the specified sequence number
version number

Explicit version number for concurrency control

application/json

Body

actions object

The list of actions that will be run if the condition matches.
Hide actions attribute Show actions attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  action_type string
  
  Values are email, webhook, index, logging, slack, or pagerduty.
  
  condition object
  
  Hide condition attributes Show condition attributes object
  
  always object
  
  array_compare object
  
  Hide array_compare attribute Show array_compare attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  path string Required
  
  compare object
  
  Hide compare attribute Show compare attribute object
  
  * object Additional properties
  
  never object
  
  script object
  
  Hide script attributes Show script attributes object
  
  lang string
  
  Default value is painless.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  source string
  
  id string
  
  foreach string
  
  max_iterations number
  
  name string
  
  throttle_period string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  throttle_period_in_millis number
  
  Time unit for milliseconds
  
  transform object
  
  Hide transform attributes Show transform attributes object
  
  chain array[object]
  
  script object
  
  Hide script attributes Show script attributes object
  
  lang string
  
  Default value is painless.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  source string
  
  id string
  
  search object
  
  Hide search attributes Show search attributes object
  
  request object Required
  
  Hide request attributes Show request attributes object
  
  body object
  
  Hide body attribute Show body attribute object
  
  query object Required
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  indices array[string]
  
  indices_options object
  
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  Default value is false.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  Default value is true.
  
  search_type string
  
  Values are query_then_fetch or dfs_query_then_fetch.
  
  template object
  
  Hide template attributes Show template attributes object
  
  explain boolean
  
  Default value is false.
  
  id string
  
  params object
  
  profile boolean
  
  Default value is false.
  
  source string
  
  An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
  
  rest_total_hits_as_int boolean
  
  timeout string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  index object
  
  Hide index attributes Show index attributes object
  
  index string Required
  
  doc_id string
  
  refresh string
  
  Values are true, false, or wait_for.
  
  op_type string
  
  Values are index or create.
  
  timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  execution_time_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  logging object
  
  Hide logging attributes Show logging attributes object
  
  level string
  
  text string Required
  
  category string
  
  email object
  
  Hide email attributes Show email attributes object
  
  id string
  
  bcc string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  body object
  
  Hide body attributes Show body attributes object
  
  html string
  
  text string
  
  cc string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  from string
  
  priority string
  
  Values are lowest, low, normal, high, or highest.
  
  reply_to string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  sent_date string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  string-1 string UnitMillis number
  
  Time unit for milliseconds
  
  subject string Required
  
  to string | array[string] Required
  
  One of:
  string-1 string array-2 array[string]
  
  attachments object
  
  Hide attachments attribute Show attachments attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  http object
  
  reporting object
  
  data object
  
  pagerduty object
  
  Hide pagerduty attributes Show pagerduty attributes object
  
  account string
  
  attach_payload boolean Required
  
  client string
  
  client_url string
  
  contexts array[object]
  
  Hide contexts attributes Show contexts attributes object
  
  href string
  
  src string
  
  type string Required
  
  Values are link or image.
  
  description string Required
  
  event_type string
  
  Values are trigger, resolve, or acknowledge.
  
  incident_key string Required
  
  proxy object
  
  Hide proxy attributes Show proxy attributes object
  
  host string
  
  port number
  
  slack object
  
  Hide slack attributes Show slack attributes object
  
  account string
  
  message object Required
  
  Hide message attributes Show message attributes object
  
  attachments array[object] Required
  
  Hide attachments attributes Show attachments attributes object
  
  author_icon string
  
  author_link string
  
  author_name string Required
  
  color string
  
  fallback string
  
  fields array[object]
  
  footer string
  
  footer_icon string
  
  image_url string
  
  pretext string
  
  text string
  
  thumb_url string
  
  title string Required
  
  title_link string
  
  ts
  
  dynamic_attachments object
  
  Hide dynamic_attachments attributes Show dynamic_attachments attributes object
  
  attachment_template object Required
  
  Hide attachment_template attributes Show attachment_template attributes object
  
  author_icon string
  
  author_link string
  
  author_name string Required
  
  color string
  
  fallback string
  
  fields array[object]
  
  footer string
  
  footer_icon string
  
  image_url string
  
  pretext string
  
  text string
  
  thumb_url string
  
  title string Required
  
  title_link string
  
  ts
  
  list_path string Required
  
  from string Required
  
  icon string
  
  text string Required
  
  to array[string] Required
  
  webhook object
  
  Hide webhook attributes Show webhook attributes object
  
  auth object
  
  Hide auth attribute Show auth attribute object
  
  basic object Required
  
  Hide basic attributes Show basic attributes object
  
  password string Required
  
  username string Required
  
  body string
  
  connection_timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  headers object
  
  Hide headers attribute Show headers attribute object
  
  * string Additional properties
  
  host string
  
  method string
  
  Values are head, get, post, put, or delete.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * string Additional properties
  
  path string
  
  port number
  
  proxy object
  
  Hide proxy attributes Show proxy attributes object
  
  host string Required
  
  port number Required
  
  read_timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  scheme string
  
  Values are http or https.
  
  url string
condition object
Hide condition attributes Show condition attributes object
- always object
- array_compare object
  Hide array_compare attribute Show array_compare attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  path string Required
- compare object
  Hide compare attribute Show compare attribute object
  
  * object Additional properties
- never object
- script object
  Hide script attributes Show script attributes object
  
  lang string
  
  Default value is painless.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  source string
  
  id string
input object
Hide input attributes Show input attributes object
- chain object
  Hide chain attribute Show chain attribute object
  
  inputs array[object] Required
  
  Hide inputs attribute Show inputs attribute object
  
  * object
- http object
  Hide http attributes Show http attributes object
  
  extract array[string]
  
  request object
  
  Hide request attributes Show request attributes object
  
  auth object
  
  Hide auth attribute Show auth attribute object
  
  basic object Required
  
  Hide basic attributes Show basic attributes object
  
  password string Required
  
  username string Required
  
  body string
  
  connection_timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  headers object
  
  Hide headers attribute Show headers attribute object
  
  * string Additional properties
  
  host string
  
  method string
  
  Values are head, get, post, put, or delete.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * string Additional properties
  
  path string
  
  port number
  
  proxy object
  
  Hide proxy attributes Show proxy attributes object
  
  host string Required
  
  port number Required
  
  read_timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  scheme string
  
  Values are http or https.
  
  url string
  
  response_content_type string
  
  Values are json, yaml, or text.
- search object
  Hide search attributes Show search attributes object
  
  extract array[string]
  
  request object Required
  
  Hide request attributes Show request attributes object
  
  body object
  
  Hide body attribute Show body attribute object
  
  query object Required
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  indices array[string]
  
  indices_options object
  
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  Default value is false.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  Default value is true.
  
  search_type string
  
  Values are query_then_fetch or dfs_query_then_fetch.
  
  template object
  
  Hide template attributes Show template attributes object
  
  explain boolean
  
  Default value is false.
  
  id string
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  profile boolean
  
  Default value is false.
  
  source string
  
  An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
  
  rest_total_hits_as_int boolean
  
  timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- simple object
  Hide simple attribute Show simple attribute object
  
  * object Additional properties
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties
throttle_period string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
throttle_period_in_millis number

Time unit for milliseconds
transform object
Hide transform attributes Show transform attributes object
- chain array[object]
- script object
  Hide script attributes Show script attributes object
  
  lang string
  
  Default value is painless.
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  source string
  
  id string
- search object
  Hide search attributes Show search attributes object
  
  request object Required
  
  Hide request attributes Show request attributes object
  
  body object
  
  Hide body attribute Show body attribute object
  
  query object Required
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  indices array[string]
  
  indices_options object
  
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  Default value is false.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  Default value is true.
  
  search_type string
  
  Values are query_then_fetch or dfs_query_then_fetch.
  
  template object
  
  Hide template attributes Show template attributes object
  
  explain boolean
  
  Default value is false.
  
  id string
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  profile boolean
  
  Default value is false.
  
  source string
  
  An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
  
  rest_total_hits_as_int boolean
  
  timeout string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
trigger object
Hide trigger attribute Show trigger attribute object
- schedule object
  Hide schedule attributes Show schedule attributes object
  
  timezone string
  
  cron string
  
  daily object
  
  Hide daily attribute Show daily attribute object
  
  at array[string | object] Required
  
  A time of day, expressed either as hh:mm, noon, midnight, or an hour/minutes structure.
  
  A time of day, expressed either as hh:mm, noon, midnight, or an hour/minutes structure.
  
  One of:
  string-1 string HourAndMinute object
  
  hourly object
  
  Hide hourly attribute Show hourly attribute object
  
  minute array[number] Required
  
  interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  monthly object | array[object]
  
  One of:
  TimeOfMonth object array-2 array[object]
  
  Hide attributes Show attributes object
  
  at array[string] Required
  
  on array[number] Required
  
  weekly object | array[object]
  
  One of:
  TimeOfWeek object array-2 array[object]
  
  Hide attributes Show attributes object
  
  at array[string] Required
  
  on array[string] Required
  
  Values are sunday, monday, tuesday, wednesday, thursday, friday, or saturday.
  
  yearly object | array[object]
  
  One of:
  TimeOfYear object array-2 array[object]
  
  Hide attributes Show attributes object
  
  at array[string] Required
  
  int array[string] Required
  
  Values are january, february, march, april, may, june, july, august, september, october, november, or december.
  
  on array[number] Required

Responses

200 application/json
Hide response attributes Show response attributes object
- created boolean Required
- _id string Required
- _primary_term number Required
- _seq_no number Required
- _version number Required

POST /_watcher/watch/{id}

PUT _watcher/watch/my-watch { "trigger" : { "schedule" : { "cron" : "0 0/1 * * * ?" } }, "input" : { "search" : { "request" : { "indices" : [ "logstash*" ], "body" : { "query" : { "bool" : { "must" : { "match": { "response": 404 } }, "filter" : { "range": { "@timestamp": { "from": "{{ctx.trigger.scheduled_time}}||-5m", "to": "{{ctx.trigger.triggered_time}}" } } } } } } } } }, "condition" : { "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} }, "actions" : { "email_admin" : { "email" : { "to" : "admin@domain.host.com", "subject" : "404 recently encountered" } } } }

resp = client.watcher.put_watch( id="my-watch", trigger={ "schedule": { "cron": "0 0/1 * * * ?" } }, input={ "search": { "request": { "indices": [ "logstash*" ], "body": { "query": { "bool": { "must": { "match": { "response": 404 } }, "filter": { "range": { "@timestamp": { "from": "{{ctx.trigger.scheduled_time}}||-5m", "to": "{{ctx.trigger.triggered_time}}" } } } } } } } } }, condition={ "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, actions={ "email_admin": { "email": { "to": "admin@domain.host.com", "subject": "404 recently encountered" } } }, )

const response = await client.watcher.putWatch({ id: "my-watch", trigger: { schedule: { cron: "0 0/1 * * * ?", }, }, input: { search: { request: { indices: ["logstash*"], body: { query: { bool: { must: { match: { response: 404, }, }, filter: { range: { "@timestamp": { from: "{{ctx.trigger.scheduled_time}}||-5m", to: "{{ctx.trigger.triggered_time}}", }, }, }, }, }, }, }, }, }, condition: { compare: { "ctx.payload.hits.total": { gt: 0, }, }, }, actions: { email_admin: { email: { to: "admin@domain.host.com", subject: "404 recently encountered", }, }, }, });

response = client.watcher.put_watch( id: "my-watch", body: { "trigger": { "schedule": { "cron": "0 0/1 * * * ?" } }, "input": { "search": { "request": { "indices": [ "logstash*" ], "body": { "query": { "bool": { "must": { "match": { "response": 404 } }, "filter": { "range": { "@timestamp": { "from": "{{ctx.trigger.scheduled_time}}||-5m", "to": "{{ctx.trigger.triggered_time}}" } } } } } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "actions": { "email_admin": { "email": { "to": "admin@domain.host.com", "subject": "404 recently encountered" } } } } )

$resp = $client->watcher()->putWatch([ "id" => "my-watch", "body" => [ "trigger" => [ "schedule" => [ "cron" => "0 0/1 * * * ?", ], ], "input" => [ "search" => [ "request" => [ "indices" => array( "logstash*", ), "body" => [ "query" => [ "bool" => [ "must" => [ "match" => [ "response" => 404, ], ], "filter" => [ "range" => [ "@timestamp" => [ "from" => "{{ctx.trigger.scheduled_time}}||-5m", "to" => "{{ctx.trigger.triggered_time}}", ], ], ], ], ], ], ], ], ], "condition" => [ "compare" => [ "ctx.payload.hits.total" => [ "gt" => 0, ], ], ], "actions" => [ "email_admin" => [ "email" => [ "to" => "admin@domain.host.com", "subject" => "404 recently encountered", ], ], ], ], ]);

curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"trigger":{"schedule":{"cron":"0 0/1 * * * ?"}},"input":{"search":{"request":{"indices":["logstash*"],"body":{"query":{"bool":{"must":{"match":{"response":404}},"filter":{"range":{"@timestamp":{"from":"{{ctx.trigger.scheduled_time}}||-5m","to":"{{ctx.trigger.triggered_time}}"}}}}}}}}},"condition":{"compare":{"ctx.payload.hits.total":{"gt":0}}},"actions":{"email_admin":{"email":{"to":"admin@domain.host.com","subject":"404 recently encountered"}}}}' "$ELASTICSEARCH_URL/_watcher/watch/my-watch"

client.watcher().putWatch(p -> p .actions("email_admin", a -> a .email(e -> e .subject("404 recently encountered") .to("admin@domain.host.com") ) ) .condition(c -> c .compare(NamedValue.of("ctx.payload.hits.total",Pair.of(ConditionOp.Gt,FieldValue.of(0)))) ) .id("my-watch") .input(i -> i .search(s -> s .request(r -> r .body(b -> b .query(q -> q .bool(bo -> bo .filter(f -> f .range(ra -> ra .untyped(u -> u .field("@timestamp") .from(JsonData.fromJson("\"{{ctx.trigger.scheduled_time}}||-5m\"")) .to(JsonData.fromJson("\"{{ctx.trigger.triggered_time}}\"")) ) ) ) .must(m -> m .match(ma -> ma .field("response") .query(FieldValue.of(404)) ) ) ) ) ) .indices("logstash*") ) ) ) .trigger(t -> t .schedule(sc -> sc .cron("0 0/1 * * * ?") ) ) );

Request example

Run `PUT _watcher/watch/my-watch` add a watch. The watch schedule triggers every minute. The watch search input looks for any 404 HTTP responses that occurred in the last five minutes. The watch condition checks if any search hits where found. When found, the watch action sends an email to an administrator.

{ "trigger" : { "schedule" : { "cron" : "0 0/1 * * * ?" } }, "input" : { "search" : { "request" : { "indices" : [ "logstash*" ], "body" : { "query" : { "bool" : { "must" : { "match": { "response": 404 } }, "filter" : { "range": { "@timestamp": { "from": "{{ctx.trigger.scheduled_time}}||-5m", "to": "{{ctx.trigger.triggered_time}}" } } } } } } } } }, "condition" : { "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} }, "actions" : { "email_admin" : { "email" : { "to" : "admin@domain.host.com", "subject" : "404 recently encountered" } } } }

Create or update a watch Generally available

Required authorization

Path parameters

Query parameters

Body

bcc string | array[string]

cc string | array[string]

reply_to string | array[string]

sent_date string | number

to string | array[string] Required

monthly object | array[object]

weekly object | array[object]

yearly object | array[object]

Responses