kibana – Elasticsearch watcher query does not return a match
I have setup a watcher which search for 4 terms – "MaxDiskUsage Errors", "NFChannelExceededMaxDiskUsageException", "Missed an Update, Entry is Attached","NFDRV error"
, in the message body and returns hit when any one of these returns a hit. I have the following construct –
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [".ds-logs-system.syslog-default-2023.01.30"],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"terms": {
"message": [
"MaxDiskUsage Errors",
"NFChannelExceededMaxDiskUsageException",
"Missed an Update, Entry is Attached",
"NFDRV error",
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
}
}
]
}
}
}
}
}
},
Now I go to the server and do logger -s "NFDRV error"
. The log entry gets reflected in elasticsearch log. However the watcher does not return a hit although the message body is same as mentioned in one of the entry. Any idea what is wrong in the construct?
Read more here: Source link