[role="xpack"] [[transform-search]] === Search transform A <> that executes a search on the cluster and replaces the current payload in the watch execution context with the returned search response. The following snippet shows how a simple search transform can be defined on the watch level: [source,js] -------------------------------------------------- { "transform" : { "search" : { "request" : { "body" : { "query" : { "match_all" : {} }} } } } } -------------------------------------------------- // NOTCONSOLE Like every other search based construct, one can make use of the full search API supported by Elasticsearch. For example, the following search transform execute a search over all events indices, matching events with `error` priority: [source,js] -------------------------------------------------- { "transform" : { "search" : { "request" : { "indices" : [ "events-*" ], "body" : { "size" : 0, "query" : { "match" : { "priority" : "error"} } } } } } } -------------------------------------------------- // NOTCONSOLE The following table lists all available settings for the search transform: [[transform-search-settings]] .Search transform settings [cols=",^,,", options="header"] |====== | Name |Required | Default | Description | `request.search_type` | no | query_then_fetch | The search <>. | `request.indices` | no | all indices | One or more indices to search on. | `request.body` | no | `match_all` query | The body of the request. The <> follows the same structure you normally send in the body of a REST `_search` request. The body can be static text or include `mustache` <>. | `request.indices_options.expand_wildcards` | no | `open` | Determines how to expand indices wildcards. Can be one of `open`, `closed`, `none` or `all` (see <>) | `request.indices_options.ignore_unavailable` | no | `true` | A boolean value that determines whether the search should leniently ignore unavailable indices (see <>) | `request.indices_options.allow_no_indices` | no | `true` | A boolean value that determines whether the search should leniently return no results when no indices are resolved (see <>) | `request.template` | no | - | The body of the search template. See <> for more information. | `timeout` | no | 30s | The timeout for waiting for the search api call to return. If no response is returned within this time, the search transform times out and fails. This setting overrides the default timeouts. |====== [[transform-search-template]] ==== Template support The search transform support mustache <>. This can either be as part of the body definition, or alternatively, point to an existing template (either defined in a file or <> as a script in Elasticsearch). For example, the following snippet shows a search that refers to the scheduled time of the watch: [source,js] -------------------------------------------------- { "transform" : { "search" : { "request" : { "indices" : [ "logstash-*" ], "body" : { "size" : 0, "query" : { "bool" : { "must" : { "match" : { "priority" : "error"} }, "filter" : [ { "range" : { "@timestamp" : { "from" : "{{ctx.trigger.scheduled_time}}||-30s", "to" : "{{ctx.trigger.triggered_time}}" } } } ] } } } } } } } -------------------------------------------------- // NOTCONSOLE The model of the template is a union between the provided `template.params` settings and the <>. The following is an example of using templates that refer to provided parameters: [source,js] -------------------------------------------------- { "transform" : { "search" : { "request" : { "indices" : [ "logstash-*" ], "template" : { "source" : { "size" : 0, "query" : { "bool" : { "must" : { "match" : { "priority" : "{{priority}}"} }, "filter" : [ { "range" : { "@timestamp" : { "from" : "{{ctx.trigger.scheduled_time}}||-30s", "to" : "{{ctx.trigger.triggered_time}}" } } } ] } }, "params" : { "priority" : "error" } } } } } } } -------------------------------------------------- // NOTCONSOLE