kibana – Elasticsearch watcher query does not return a match

I have setup a watcher which search for 4 terms – "MaxDiskUsage Errors", "NFChannelExceededMaxDiskUsageException", "Missed an Update, Entry is Attached","NFDRV error" , in the message body and returns hit when any one of these returns a hit. I have the following construct –

  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [".ds-logs-system.syslog-default-2023.01.30"],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "terms": {
                    "message": [
                      "MaxDiskUsage Errors",
                      "NFChannelExceededMaxDiskUsageException",                  
                      "Missed an Update, Entry is Attached",
                      "NFDRV error",                 
                    ]
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1d/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },

Now I go to the server and do logger -s "NFDRV error". The log entry gets reflected in elasticsearch log. However the watcher does not return a hit although the message body is same as mentioned in one of the entry. Any idea what is wrong in the construct?

Read more here: Source link