2017-06-27 20:16:51 -04:00
|
|
|
[role="xpack"]
|
2017-03-29 12:07:55 -04:00
|
|
|
[[watcher-api-put-watch]]
|
2018-12-20 13:23:28 -05:00
|
|
|
=== Put watch API
|
|
|
|
|
++++
|
|
|
|
|
<titleabbrev>Put watch</titleabbrev>
|
|
|
|
|
++++
|
2017-03-29 12:07:55 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
Either registers a new watch in {watcher} or updates an existing one.
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-request]]
|
|
|
|
|
==== {api-request-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2018-12-08 13:57:16 -05:00
|
|
|
`PUT _watcher/watch/<watch_id>`
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-prereqs]]
|
|
|
|
|
==== {api-prereq-title}
|
|
|
|
|
|
|
|
|
|
* You must have `manage_watcher` cluster privileges to use this API. For more
|
2019-10-07 18:23:19 -04:00
|
|
|
information, see <<security-privileges>>.
|
2019-09-05 14:19:35 -04:00
|
|
|
|
|
|
|
|
[[watcher-api-put-watch-desc]]
|
|
|
|
|
==== {api-description-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
|
|
|
|
When a watch is registered, a new document that represents the watch is added to
|
|
|
|
|
the `.watches` index and its trigger is immediately registered with the relevant
|
|
|
|
|
trigger engine. Typically for the `schedule` trigger, the scheduler is the
|
|
|
|
|
trigger engine.
|
2017-03-29 12:07:55 -04:00
|
|
|
|
2019-02-15 12:37:34 -05:00
|
|
|
IMPORTANT: You must use {kib} or this API to create a watch. Do not put a watch
|
|
|
|
|
directly to the `.watches` index using the Elasticsearch index API.
|
|
|
|
|
If {es} {security-features} are enabled, do not give users `write`
|
|
|
|
|
privileges on the `.watches` index.
|
2017-03-29 12:07:55 -04:00
|
|
|
|
2017-09-14 16:01:47 -04:00
|
|
|
When adding a watch you can also define its initial
|
2019-09-30 13:18:50 -04:00
|
|
|
<<watch-active-state,active state>>. You do that by setting the `active`
|
|
|
|
|
parameter.
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-security]]
|
|
|
|
|
===== Security integration
|
|
|
|
|
|
|
|
|
|
When {es} {security-features} are enabled, your watch can index or search only
|
|
|
|
|
on indices for which the user that stored the watch has privileges. If the user
|
|
|
|
|
is able to read index `a`, but not index `b`, the same will apply, when the watch
|
|
|
|
|
is executed.
|
|
|
|
|
|
|
|
|
|
[[watcher-api-put-watch-path-params]]
|
|
|
|
|
==== {api-path-parms-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
`<watch_id>`::
|
|
|
|
|
(Required, string) Identifier for the watch.
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-query-params]]
|
|
|
|
|
==== {api-query-parms-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
|
|
|
|
`active`::
|
2019-09-05 14:19:35 -04:00
|
|
|
(Optional, boolean) Defines whether the watch is active or inactive by default.
|
|
|
|
|
The default value is `true`, which means the watch is active by default.
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-request-body]]
|
|
|
|
|
==== {api-request-body-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
|
|
|
|
A watch has the following fields:
|
|
|
|
|
|
|
|
|
|
[options="header"]
|
|
|
|
|
|======
|
|
|
|
|
| Name | Description
|
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
| `trigger` | The <<trigger,trigger>> that defines when
|
2017-09-14 16:01:47 -04:00
|
|
|
the watch should run.
|
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
| `input` | The <<input,input>> that defines the input
|
2017-09-14 16:01:47 -04:00
|
|
|
that loads the data for the watch.
|
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
| `condition` | The <<condition,condition>> that defines if
|
2017-09-14 16:01:47 -04:00
|
|
|
the actions should be run.
|
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
| `actions` | The list of <<actions,actions>> that will be
|
2017-09-14 16:01:47 -04:00
|
|
|
run if the condition matches
|
|
|
|
|
|
|
|
|
|
| `metadata` | Metadata json that will be copied into the history entries.
|
|
|
|
|
|
|
|
|
|
| `throttle_period` | The minimum time between actions being run, the default
|
|
|
|
|
for this is 5 seconds. This default can be changed in the
|
2019-08-19 08:27:03 -04:00
|
|
|
config file with the setting
|
|
|
|
|
`xpack.watcher.throttle.period.default_period`. If both
|
|
|
|
|
this value and the `throttle_period_in_millis` parameter
|
|
|
|
|
are specified, {watcher} uses the last parameter
|
|
|
|
|
included in the request.
|
|
|
|
|
|
|
|
|
|
| `throttle_period_in_millis` | Minimum time in milliseconds between actions
|
|
|
|
|
being run. Defaults to `5000`. If both this
|
|
|
|
|
value and the `throttle_period` parameter are
|
|
|
|
|
specified, {watcher} uses the last parameter
|
|
|
|
|
included in the request.
|
|
|
|
|
|
2017-09-14 16:01:47 -04:00
|
|
|
|======
|
|
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
//[[watcher-api-put-watch-response-body]]
|
|
|
|
|
//==== {api-response-body-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
//[[watcher-api-put-watch-response-codes]]
|
|
|
|
|
//==== {api-response-codes-title}
|
2017-11-29 08:48:06 -05:00
|
|
|
|
2019-09-05 14:19:35 -04:00
|
|
|
[[watcher-api-put-watch-example]]
|
|
|
|
|
==== {api-examples-title}
|
2017-09-14 16:01:47 -04:00
|
|
|
|
2017-03-29 12:07:55 -04:00
|
|
|
The following example adds a watch with the `my-watch` id that has the following
|
|
|
|
|
characteristics:
|
|
|
|
|
|
|
|
|
|
* The watch schedule triggers every minute.
|
|
|
|
|
* The watch search input looks for any 404 HTTP responses that occurred in the
|
|
|
|
|
last five minutes.
|
|
|
|
|
* The watch condition checks if any search hits where found.
|
|
|
|
|
* When found, the watch action sends an email to an administrator.
|
|
|
|
|
|
2019-09-09 12:35:50 -04:00
|
|
|
[source,console]
|
2017-03-29 12:07:55 -04:00
|
|
|
--------------------------------------------------
|
2018-12-08 13:57:16 -05:00
|
|
|
PUT _watcher/watch/my-watch
|
2017-03-29 12:07:55 -04:00
|
|
|
{
|
|
|
|
|
"trigger" : {
|
|
|
|
|
"schedule" : { "cron" : "0 0/1 * * * ?" }
|
|
|
|
|
},
|
|
|
|
|
"input" : {
|
|
|
|
|
"search" : {
|
|
|
|
|
"request" : {
|
|
|
|
|
"indices" : [
|
|
|
|
|
"logstash*"
|
|
|
|
|
],
|
|
|
|
|
"body" : {
|
|
|
|
|
"query" : {
|
|
|
|
|
"bool" : {
|
|
|
|
|
"must" : {
|
|
|
|
|
"match": {
|
|
|
|
|
"response": 404
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"filter" : {
|
|
|
|
|
"range": {
|
|
|
|
|
"@timestamp": {
|
|
|
|
|
"from": "{{ctx.trigger.scheduled_time}}||-5m",
|
|
|
|
|
"to": "{{ctx.trigger.triggered_time}}"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"condition" : {
|
|
|
|
|
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
|
|
|
|
|
},
|
|
|
|
|
"actions" : {
|
|
|
|
|
"email_admin" : {
|
|
|
|
|
"email" : {
|
|
|
|
|
"to" : "admin@domain.host.com",
|
|
|
|
|
"subject" : "404 recently encountered"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
2017-09-14 16:01:47 -04:00
|
|
|
When you add a watch you can also define its initial
|
2019-09-30 13:18:50 -04:00
|
|
|
<<watch-active-state,active state>>. You do that
|
2017-09-14 16:01:47 -04:00
|
|
|
by setting the `active` parameter. The following command adds a watch and sets
|
|
|
|
|
it to be inactive by default:
|
2017-03-29 12:07:55 -04:00
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
|
--------------------------------------------------
|
2018-12-08 13:57:16 -05:00
|
|
|
PUT _watcher/watch/my-watch?active=false
|
2017-03-29 12:07:55 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
NOTE: If you omit the `active` parameter, the watch is active by default.
|
