2019-09-10 13:32:51 -04:00
|
|
|
[role="xpack"]
|
2017-03-28 17:23:01 -04:00
|
|
|
[[transform-search]]
|
2019-09-30 13:18:50 -04:00
|
|
|
=== Search transform
|
2017-03-28 17:23:01 -04:00
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
A <<transform,transform>> that executes a search on the cluster and replaces
|
2017-03-28 17:23:01 -04:00
|
|
|
the current payload in the watch execution context with the returned search
|
|
|
|
response. The following snippet shows how a simple search transform can be
|
|
|
|
defined on the watch level:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"transform" : {
|
|
|
|
"search" : {
|
|
|
|
"request" : {
|
|
|
|
"body" : { "query" : { "match_all" : {} }}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2018-06-22 21:09:37 -04:00
|
|
|
// NOTCONSOLE
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
Like every other search based construct, one can make use of the full search
|
|
|
|
API supported by Elasticsearch. For example, the following search transform
|
|
|
|
execute a search over all events indices, matching events with `error` priority:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"transform" : {
|
|
|
|
"search" : {
|
|
|
|
"request" : {
|
|
|
|
"indices" : [ "events-*" ],
|
|
|
|
"body" : {
|
|
|
|
"size" : 0,
|
|
|
|
"query" : {
|
|
|
|
"match" : { "priority" : "error"}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2018-06-22 21:09:37 -04:00
|
|
|
// NOTCONSOLE
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
The following table lists all available settings for the search transform:
|
|
|
|
|
|
|
|
[[transform-search-settings]]
|
2019-09-30 13:18:50 -04:00
|
|
|
.Search transform settings
|
2017-03-28 17:23:01 -04:00
|
|
|
[cols=",^,,", options="header"]
|
|
|
|
|======
|
|
|
|
| Name |Required | Default | Description
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
| `request.search_type` | no | query_then_fetch | The search <<request-body-search-search-type,type>>.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `request.indices` | no | all indices | One or more indices to search on.
|
|
|
|
|
|
|
|
| `request.body` | no | `match_all` query | The body of the request. The
|
2019-09-30 13:18:50 -04:00
|
|
|
<<search-request-body,request body>> follows
|
2017-03-28 17:23:01 -04:00
|
|
|
the same structure you normally send in the body of
|
|
|
|
a REST `_search` request. The body can be static text
|
2019-09-30 13:18:50 -04:00
|
|
|
or include `mustache` <<templates,templates>>.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `request.indices_options.expand_wildcards` | no | `open` | Determines how to expand indices wildcards. Can be one
|
|
|
|
of `open`, `closed`, `none` or `all`
|
2019-09-30 13:18:50 -04:00
|
|
|
(see <<multi-index,multi-index support>>)
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `request.indices_options.ignore_unavailable` | no | `true` | A boolean value that determines whether the search
|
|
|
|
should leniently ignore unavailable indices
|
2019-09-30 13:18:50 -04:00
|
|
|
(see <<multi-index,multi-index support>>)
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `request.indices_options.allow_no_indices` | no | `true` | A boolean value that determines whether the search
|
|
|
|
should leniently return no results when no indices
|
2019-09-30 13:18:50 -04:00
|
|
|
are resolved (see <<multi-index,multi-index support>>)
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `request.template` | no | - | The body of the search template. See
|
2019-09-30 13:18:50 -04:00
|
|
|
<<templates,configure templates>> for more information.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `timeout` | no | 30s | The timeout for waiting for the search api call to
|
|
|
|
return. If no response is returned within this time,
|
|
|
|
the search transform times out and fails. This setting
|
|
|
|
overrides the default timeouts.
|
|
|
|
|======
|
|
|
|
|
|
|
|
[[transform-search-template]]
|
2019-09-30 13:18:50 -04:00
|
|
|
==== Template support
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
The search transform support mustache <<templates, templates>>. This can either
|
|
|
|
be as part of the body definition, or alternatively, point to an existing
|
2019-09-30 13:18:50 -04:00
|
|
|
template (either defined in a file or <<pre-registered-templates,registered>>
|
2017-03-28 17:23:01 -04:00
|
|
|
as a script in Elasticsearch).
|
|
|
|
|
|
|
|
For example, the following snippet shows a search that refers to the scheduled
|
|
|
|
time of the watch:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"transform" : {
|
|
|
|
"search" : {
|
|
|
|
"request" : {
|
|
|
|
"indices" : [ "logstash-*" ],
|
|
|
|
"body" : {
|
|
|
|
"size" : 0,
|
|
|
|
"query" : {
|
|
|
|
"bool" : {
|
|
|
|
"must" : {
|
|
|
|
"match" : { "priority" : "error"}
|
|
|
|
},
|
|
|
|
"filter" : [
|
|
|
|
{
|
|
|
|
"range" : {
|
|
|
|
"@timestamp" : {
|
|
|
|
"from" : "{{ctx.trigger.scheduled_time}}||-30s",
|
|
|
|
"to" : "{{ctx.trigger.triggered_time}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2018-06-22 21:09:37 -04:00
|
|
|
// NOTCONSOLE
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
The model of the template is a union between the provided `template.params`
|
2019-09-30 13:18:50 -04:00
|
|
|
settings and the <<watch-execution-context,standard watch execution context model>>.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
The following is an example of using templates that refer to provided parameters:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"transform" : {
|
|
|
|
"search" : {
|
|
|
|
"request" : {
|
|
|
|
"indices" : [ "logstash-*" ],
|
|
|
|
"template" : {
|
2017-06-09 11:29:36 -04:00
|
|
|
"source" : {
|
2017-03-28 17:23:01 -04:00
|
|
|
"size" : 0,
|
|
|
|
"query" : {
|
|
|
|
"bool" : {
|
|
|
|
"must" : {
|
|
|
|
"match" : { "priority" : "{{priority}}"}
|
|
|
|
},
|
|
|
|
"filter" : [
|
|
|
|
{
|
|
|
|
"range" : {
|
|
|
|
"@timestamp" : {
|
|
|
|
"from" : "{{ctx.trigger.scheduled_time}}||-30s",
|
|
|
|
"to" : "{{ctx.trigger.triggered_time}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"params" : {
|
|
|
|
"priority" : "error"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2018-06-22 21:09:37 -04:00
|
|
|
// NOTCONSOLE
|