github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 17:34:17 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/watcher/transform/search.asciidoc
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to docs/reference dir (#99209) 
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00

180 lines
6.8 KiB
Text
Raw Blame History

[role="xpack"]
[[transform-search]]
=== {watcher} search {watcher-transform}
++++
<titleabbrev>Search {watcher-transform}</titleabbrev>
++++
A <<transform,{watcher-transform}>> that executes a search on the cluster and
replaces the current payload in the watch execution context with the returned
search response. The following snippet shows how a simple search transform can
be defined on the watch level:
[source,js]
--------------------------------------------------
{
"transform" : {
"search" : {
"request" : {
"body" : { "query" : { "match_all" : {} }}
}
}
}
}
--------------------------------------------------
// NOTCONSOLE
Like every other search based construct, one can make use of the full search
API supported by Elasticsearch. For example, the following search
{watcher-transform} execute a search over all events indices, matching events
with `error` priority:
[source,js]
--------------------------------------------------
{
"transform" : {
"search" : {
"request" : {
"indices" : [ "events-*" ],
"body" : {
"size" : 0,
"query" : {
"match" : { "priority" : "error"}
}
}
}
}
}
}
--------------------------------------------------
// NOTCONSOLE
The following table lists all available settings for the search
{watcher-transform}:
[[transform-search-settings]]
.Search {watcher-transform} settings
[cols=",^,,", options="header"]
|======
| Name |Required | Default | Description
| `request.search_type` | no | query_then_fetch | The search <<search-type,type>>.
| `request.indices` | no | all indices | One or more indices to search on.
| `request.body` | no | `match_all` query | The body of the request. The
<<search-search,request body>> follows
the same structure you normally send in the body of
a REST `_search` request. The body can be static text
or include `mustache` <<templates,templates>>.
| `request.indices_options.expand_wildcards` | no | `open` | Determines how to expand indices wildcards. An array
consisting of a combination of `open`, `closed`,
and `hidden`. Alternatively a value of `none` or `all`.
(see <<api-multi-index,multi-target syntax>>)
| `request.indices_options.ignore_unavailable` | no | `true` | A boolean value that determines whether the search
should leniently ignore unavailable indices
(see <<api-multi-index,multi-target syntax>>)
| `request.indices_options.allow_no_indices` | no | `true` | A boolean value that determines whether the search
should leniently return no results when no indices
are resolved (see <<api-multi-index,multi-target syntax>>)
| `request.template` | no | - | The body of the search template. See
<<templates,configure templates>> for more information.
| `timeout` | no | 30s | The timeout for waiting for the search api call to
return. If no response is returned within this time,
the search {watcher-transform} times out and fails. This setting
overrides the default timeouts.
|======
[[transform-search-template]]
==== Template support
The search {watcher-transform} support mustache <<templates, templates>>. This
can either be as part of the body definition or alternatively point to an
existing template (either defined in a file or
<<create-search-template,stored>> as a script in Elasticsearch).
For example, the following snippet shows a search that refers to the scheduled
time of the watch:
[source,js]
--------------------------------------------------
{
"transform" : {
"search" : {
"request" : {
"indices" : [ "logstash-*" ],
"body" : {
"size" : 0,
"query" : {
"bool" : {
"must" : {
"match" : { "priority" : "error"}
},
"filter" : [
{
"range" : {
"@timestamp" : {
"from" : "{{ctx.trigger.scheduled_time}}||-30s",
"to" : "{{ctx.trigger.triggered_time}}"
}
}
}
]
}
}
}
}
}
}
}
--------------------------------------------------
// NOTCONSOLE
The model of the template is a union between the provided `template.params`
settings and the <<watch-execution-context,standard watch execution context model>>.
The following is an example of using templates that refer to provided parameters:
[source,js]
--------------------------------------------------
{
"transform" : {
"search" : {
"request" : {
"indices" : [ "logstash-*" ],
"template" : {
"source" : {
"size" : 0,
"query" : {
"bool" : {
"must" : {
"match" : { "priority" : "{{priority}}"}
},
"filter" : [
{
"range" : {
"@timestamp" : {
"from" : "{{ctx.trigger.scheduled_time}}||-30s",
"to" : "{{ctx.trigger.triggered_time}}"
}
}
}
]
}
},
"params" : {
"priority" : "error"
}
}
}
}
}
}
}
--------------------------------------------------
// NOTCONSOLE
Reference in a new issue View git blame Copy permalink