Create or update a watch | Elasticsearch API documentation

Path parameters

idstring Required
The identifier for the watch.

Query parameters

activeboolean
The initial state of the watch. The default value is true, which means the watch is active by default.
if_primary_termnumber
only update the watch if the last operation that has changed the watch has the specified primary term
if_seq_nonumber
only update the watch if the last operation that has changed the watch has the specified sequence number
versionnumber
Explicit version number for concurrency control

application/json

Body

actionsobject
The list of actions that will be run if the condition matches.
Hide actions attribute Show actions attribute object
- *object Additional properties
  Hide * attributes Show * attributes object
  action_typestring
  Values are email, webhook, index, logging, slack, or pagerduty.
  conditionobject
  Hide condition attributes Show condition attributes object
  alwaysobject
  array_compareobject
  Hide array_compare attribute Show array_compare attribute object
  *object Additional properties
  Hide * attribute Show * attribute object
  pathstring Required
  compareobject
  Hide compare attribute Show compare attribute object
  *object Additional properties
  neverobject
  scriptobject
  Hide script attributes Show script attributes object
  langstring
  Any of:
  ScriptLanguagestring ScriptLanguagestring
  Values are painless, expression, mustache, or java.
  paramsobject
  Hide params attribute Show params attribute object
  *object Additional properties
  sourcestring | object
  One of:
  ScriptSourcestring SearchRequestBodyobject
  Hide attributes Show attributes
  aggregationsobject
  Defines the aggregations that are run as part of the search request.
  collapseobject
  explainboolean
  If true, the request returns detailed information about score computation as part of a hit.
  extobject
  Configuration of search extensions defined by Elasticsearch plugins.
  fromnumber
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  highlight
  track_total_hitsboolean | number
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  indices_boostarray[object]
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  docvalue_fieldsarray[object]
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  knn
  rankobject
  min_scorenumber
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  post_filterobject
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  profileboolean
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  queryobject
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  rescore
  retrieverobject
  script_fieldsobject
  Retrieve a script evaluation (based on different fields) for each hit.
  search_afterarray[number | string | boolean | null]
  A field value.
  sizenumber
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  sliceobject
  sort
  _source
  fieldsarray[object]
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  suggestobject
  terminate_afternumber
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  If set to 0 (default), the query does not terminate early.
  timeoutstring
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  track_scoresboolean
  If true, calculate and return document scores, even if the scores are not used for sorting.
  versionboolean
  If true, the request returns the document version as part of a hit.
  seq_no_primary_termboolean
  If true, the request returns sequence number and primary term of the last modification of each hit.
  stored_fieldsstring | array[string]
  pitobject
  runtime_mappingsobject
  statsarray[string]
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  idstring
  foreachstring
  max_iterationsnumber
  namestring
  throttle_periodstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  throttle_period_in_millisnumber
  Time unit for milliseconds
  transformobject
  Hide transform attributes Show transform attributes object
  chainarray[object]
  scriptobject
  Hide script attributes Show script attributes object
  langstring
  paramsobject
  Hide params attribute Show params attribute object
  *object Additional properties
  sourcestring | object
  One of:
  ScriptSourcestring SearchRequestBodyobject
  Hide attributes Show attributes
  aggregationsobject
  Defines the aggregations that are run as part of the search request.
  collapseobject
  explainboolean
  If true, the request returns detailed information about score computation as part of a hit.
  extobject
  Configuration of search extensions defined by Elasticsearch plugins.
  fromnumber
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  highlight
  track_total_hitsboolean | number
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  indices_boostarray[object]
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  docvalue_fieldsarray[object]
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  knn
  rankobject
  min_scorenumber
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  post_filterobject
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  profileboolean
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  queryobject
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  rescore
  retrieverobject
  script_fieldsobject
  Retrieve a script evaluation (based on different fields) for each hit.
  search_afterarray[number | string | boolean | null]
  A field value.
  sizenumber
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  sliceobject
  sort
  _source
  fieldsarray[object]
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  suggestobject
  terminate_afternumber
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  If set to 0 (default), the query does not terminate early.
  timeoutstring
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  track_scoresboolean
  If true, calculate and return document scores, even if the scores are not used for sorting.
  versionboolean
  If true, the request returns the document version as part of a hit.
  seq_no_primary_termboolean
  If true, the request returns sequence number and primary term of the last modification of each hit.
  stored_fieldsstring | array[string]
  pitobject
  runtime_mappingsobject
  statsarray[string]
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  idstring
  searchobject
  Hide search attributes Show search attributes object
  requestobject Required
  Hide request attributes Show request attributes object
  bodyobject
  Hide body attribute Show body attribute object
  queryobject Required
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  indicesarray[string]
  indices_optionsobject
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  Hide indices_options attributes Show indices_options attributes object
  allow_no_indicesboolean
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  expand_wildcardsstring | array[string]
  ignore_unavailableboolean
  If true, missing or closed indices are not included in the response.
  ignore_throttledboolean
  If true, concrete, expanded or aliased indices are ignored when frozen.
  search_typestring
  Values are query_then_fetch or dfs_query_then_fetch.
  templateobject
  Hide template attributes Show template attributes object
  explainboolean
  idstring
  paramsobject
  profileboolean
  sourcestring
  An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
  rest_total_hits_as_intboolean
  timeoutstring Required
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  indexobject
  Hide index attributes Show index attributes object
  indexstring Required
  doc_idstring
  refreshstring
  Values are true, false, or wait_for.
  op_typestring
  Values are index or create.
  timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  execution_time_fieldstring
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  loggingobject
  Hide logging attributes Show logging attributes object
  levelstring
  textstring Required
  categorystring
  emailobject
  Hide email attributes Show email attributes object
  idstring
  bccstring | array[string]
  One of:
  string-1string array-2array[string]
  bodyobject
  Hide body attributes Show body attributes object
  htmlstring
  textstring
  ccstring | array[string]
  One of:
  string-1string array-2array[string]
  fromstring
  prioritystring
  Values are lowest, low, normal, high, or highest.
  reply_tostring | array[string]
  One of:
  string-1string array-2array[string]
  sent_datestring | number
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  One of:
  DateTimestring UnitMillisnumber
  Time unit for milliseconds
  subjectstring Required
  tostring | array[string] Required
  One of:
  string-1string array-2array[string]
  attachmentsobject
  Hide attachments attribute Show attachments attribute object
  *object Additional properties
  Hide * attributes Show * attributes object
  httpobject
  reportingobject
  dataobject
  pagerdutyobject
  Hide pagerduty attributes Show pagerduty attributes object
  accountstring
  attach_payloadboolean Required
  clientstring
  client_urlstring
  contextsarray[object]
  Hide contexts attributes Show contexts attributes object
  hrefstring
  srcstring
  typestring Required
  Values are link or image.
  descriptionstring Required
  event_typestring
  Values are trigger, resolve, or acknowledge.
  incident_keystring Required
  proxyobject
  Hide proxy attributes Show proxy attributes object
  hoststring
  portnumber
  slackobject
  Hide slack attributes Show slack attributes object
  accountstring
  messageobject Required
  Hide message attributes Show message attributes object
  attachmentsarray[object] Required
  Hide attachments attributes Show attachments attributes object
  author_iconstring
  author_linkstring
  author_namestring Required
  colorstring
  fallbackstring
  fieldsarray[object]
  footerstring
  footer_iconstring
  image_urlstring
  pretextstring
  textstring
  thumb_urlstring
  titlestring Required
  title_linkstring
  ts
  dynamic_attachmentsobject
  Hide dynamic_attachments attributes Show dynamic_attachments attributes object
  attachment_templateobject Required
  Hide attachment_template attributes Show attachment_template attributes object
  author_iconstring
  author_linkstring
  author_namestring Required
  colorstring
  fallbackstring
  fieldsarray[object]
  footerstring
  footer_iconstring
  image_urlstring
  pretextstring
  textstring
  thumb_urlstring
  titlestring Required
  title_linkstring
  ts
  list_pathstring Required
  fromstring Required
  iconstring
  textstring Required
  toarray[string] Required
  webhookobject
  Hide webhook attributes Show webhook attributes object
  authobject
  Hide auth attribute Show auth attribute object
  basicobject Required
  Hide basic attributes Show basic attributes object
  passwordstring Required
  usernamestring Required
  bodystring
  connection_timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  headersobject
  Hide headers attribute Show headers attribute object
  hoststring
  methodstring
  Values are head, get, post, put, or delete.
  paramsobject
  Hide params attribute Show params attribute object
  *string Additional properties
  pathstring
  portnumber
  proxyobject
  Hide proxy attributes Show proxy attributes object
  hoststring Required
  portnumber Required
  read_timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  schemestring
  Values are http or https.
  urlstring
conditionobject
Hide condition attributes Show condition attributes object
- alwaysobject
- array_compareobject
 Hide array_compare attribute Show array_compare attribute object
 *object Additional properties
 Hide * attribute Show * attribute object
 pathstring Required
- compareobject
 Hide compare attribute Show compare attribute object
 *object Additional properties
- neverobject
- scriptobject
 Hide script attributes Show script attributes object
 langstring
 Any of:
 ScriptLanguagestring ScriptLanguagestring
 Values are painless, expression, mustache, or java.
 paramsobject
 Hide params attribute Show params attribute object
 *object Additional properties
 sourcestring | object
 One of:
 ScriptSourcestring SearchRequestBodyobject
 Hide attributes Show attributes
 aggregationsobject
 Defines the aggregations that are run as part of the search request.
 External documentation
 collapseobject
 External documentation
 explainboolean
 If true, the request returns detailed information about score computation as part of a hit.
 extobject
 Configuration of search extensions defined by Elasticsearch plugins.
 Hide ext attribute Show ext attribute object
 *object Additional properties
 fromnumber
 The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
 highlightobject
 Hide highlight attributes Show highlight attributes object
 type
 boundary_charsstring
 A string that contains each boundary character.
 boundary_max_scannumber
 How far to scan for boundary characters.
 boundary_scannerstring
 Values are chars, sentence, or word.
 boundary_scanner_localestring
 Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
 force_sourceboolean Deprecated
 fragmenterstring
 Values are simple or span.
 fragment_sizenumber
 The size of the highlighted fragment in characters.
 highlight_filterboolean
 highlight_queryobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 max_fragment_lengthnumber
 max_analyzed_offsetnumber
 If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
 no_match_sizenumber
 The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
 number_of_fragmentsnumber
 The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.
 optionsobject
 orderstring
 Value is score.
 phrase_limitnumber
 Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.
 post_tagsarray[string]
 Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 pre_tagsarray[string]
 Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 require_field_matchboolean
 By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.
 tags_schemastring
 Value is styled.
 encoderstring
 Values are default or html.
 fields
 track_total_hitsboolean | number
 Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
 indices_boostarray[object]
 Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
 External documentation
 Hide indices_boost attribute Show indices_boost attribute object
 *number Additional properties
 docvalue_fieldsarray[object]
 An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
 A reference to a field with formatting instructions on how to return the value
 External documentation
 Hide docvalue_fields attributes Show docvalue_fields attributes object
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 formatstring
 The format in which the values are returned.
 include_unmappedboolean
 knnobject | array[object]
 The approximate kNN search to run.
 One of:
 KnnSearchobject array-2array[object]
 Hide attributes Show attributes
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 query_vectorarray[number]
 query_vector_builderobject
 knumber
 The final number of nearest neigrs to return as top hits
 num_candidatesnumber
 The number of nearest neigr candidates to consider per shard
 boostnumber
 Boost value to apply to kNN scores
 filter
 similaritynumber
 The minimum similarity for a vector to be considered a match
 inner_hitsobject
 rescore_vectorobject
 External documentation
 rankobject
 Hide rank attribute Show rank attribute object
 rrfobject
 min_scorenumber
 The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
 post_filterobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 External documentation
 profileboolean
 Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
 queryobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 External documentation
 rescoreobject | array[object]
 Can be used to improve precision by reordering just the top (for example 100 - 500) documents returned by the query and post_filter phases.
 One of:
 Rescoreobject array-2array[object]
 retrieverobject
 Hide retriever attributes Show retriever attributes object
 standardobject
 knnobject
 rrfobject
 text_similarity_rerankerobject
 ruleobject
 rescorerobject
 linearobject
 pinnedobject
 script_fieldsobject
 Retrieve a script evaluation (based on different fields) for each hit.
 Hide script_fields attribute Show script_fields attribute object
 *object Additional properties
 Hide * attributes Show * attributes object
 scriptobject Required
 ignore_failureboolean
 search_afterarray[number | string | boolean | null]
 A field value.
 sizenumber
 The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
 sliceobject
 Hide slice attributes Show slice attributes object
 fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 idstring Required
 maxnumber Required
 sortstring | object | array[string | object]
 One of:
 Fieldstring SortOptionsobject Sortarray[string | object]
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 _sourceboolean | object
 Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
 One of:
 SourceConfigboolean SourceFilterobject
 fieldsarray[object]
 An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
 A reference to a field with formatting instructions on how to return the value
 Hide fields attributes Show fields attributes object
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 formatstring
 The format in which the values are returned.
 include_unmappedboolean
 suggestobject
 Hide suggest attribute Show suggest attribute object
 textstring
 Global suggest text, to avoid repetition when the same text is used in several suggesters
 terminate_afternumber
 The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
 IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
 If set to 0 (default), the query does not terminate early.
 timeoutstring
 The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
 track_scoresboolean
 If true, calculate and return document scores, even if the scores are not used for sorting.
 versionboolean
 If true, the request returns the document version as part of a hit.
 seq_no_primary_termboolean
 If true, the request returns sequence number and primary term of the last modification of each hit.
 External documentation
 stored_fieldsstring | array[string]
 pitobject
 Hide pit attributes Show pit attributes object
 idstring Required
 keep_alivestring
 A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
 runtime_mappingsobject
 Hide runtime_mappings attribute Show runtime_mappings attribute object
 *object Additional properties
 Hide * attributes Show * attributes object
 fieldsobject
 For type composite
 fetch_fieldsarray[object]
 For type lookup
 formatstring
 A custom format for date type runtime fields.
 input_fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 target_fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 target_indexstring
 scriptobject
 typestring Required
 Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
 statsarray[string]
 The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
 idstring
inputobject
Hide input attributes Show input attributes object
- chainobject
  Hide chain attribute Show chain attribute object
  inputsarray[object] Required
  Hide inputs attribute Show inputs attribute object
  *object
- httpobject
  Hide http attributes Show http attributes object
  extractarray[string]
  requestobject
  Hide request attributes Show request attributes object
  authobject
  Hide auth attribute Show auth attribute object
  basicobject Required
  Hide basic attributes Show basic attributes object
  passwordstring Required
  usernamestring Required
  bodystring
  connection_timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  headersobject
  Hide headers attribute Show headers attribute object
  hoststring
  methodstring
  Values are head, get, post, put, or delete.
  paramsobject
  Hide params attribute Show params attribute object
  *string Additional properties
  pathstring
  portnumber
  proxyobject
  Hide proxy attributes Show proxy attributes object
  hoststring Required
  portnumber Required
  read_timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  schemestring
  Values are http or https.
  urlstring
  response_content_typestring
  Values are json, yaml, or text.
- searchobject
  Hide search attributes Show search attributes object
  extractarray[string]
  requestobject Required
  Hide request attributes Show request attributes object
  bodyobject
  Hide body attribute Show body attribute object
  queryobject Required
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  External documentation
  indicesarray[string]
  indices_optionsobject
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  Hide indices_options attributes Show indices_options attributes object
  allow_no_indicesboolean
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  expand_wildcardsstring | array[string]
  ignore_unavailableboolean
  If true, missing or closed indices are not included in the response.
  ignore_throttledboolean
  If true, concrete, expanded or aliased indices are ignored when frozen.
  search_typestring
  Values are query_then_fetch or dfs_query_then_fetch.
  templateobject
  Hide template attributes Show template attributes object
  explainboolean
  idstring
  paramsobject
  Hide params attribute Show params attribute object
  *object Additional properties
  profileboolean
  sourcestring
  An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
  rest_total_hits_as_intboolean
  timeoutstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- simpleobject
  Hide simple attribute Show simple attribute object
  *object Additional properties
metadataobject
Hide metadata attribute Show metadata attribute object
throttle_periodstring
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
throttle_period_in_millisnumber
Time unit for milliseconds
transformobject
Hide transform attributes Show transform attributes object
- chainarray[object]
- scriptobject
 Hide script attributes Show script attributes object
 langstring
 paramsobject
 Hide params attribute Show params attribute object
 *object Additional properties
 sourcestring | object
 One of:
 ScriptSourcestring SearchRequestBodyobject
 Hide attributes Show attributes
 aggregationsobject
 Defines the aggregations that are run as part of the search request.
 External documentation
 collapseobject
 External documentation
 explainboolean
 If true, the request returns detailed information about score computation as part of a hit.
 extobject
 Configuration of search extensions defined by Elasticsearch plugins.
 Hide ext attribute Show ext attribute object
 *object Additional properties
 fromnumber
 The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
 highlightobject
 Hide highlight attributes Show highlight attributes object
 type
 boundary_charsstring
 A string that contains each boundary character.
 boundary_max_scannumber
 How far to scan for boundary characters.
 boundary_scannerstring
 Values are chars, sentence, or word.
 boundary_scanner_localestring
 Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
 force_sourceboolean Deprecated
 fragmenterstring
 Values are simple or span.
 fragment_sizenumber
 The size of the highlighted fragment in characters.
 highlight_filterboolean
 highlight_queryobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 max_fragment_lengthnumber
 max_analyzed_offsetnumber
 If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
 no_match_sizenumber
 The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
 number_of_fragmentsnumber
 The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.
 optionsobject
 orderstring
 Value is score.
 phrase_limitnumber
 Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.
 post_tagsarray[string]
 Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 pre_tagsarray[string]
 Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 require_field_matchboolean
 By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.
 tags_schemastring
 Value is styled.
 encoderstring
 Values are default or html.
 fields
 track_total_hitsboolean | number
 Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
 indices_boostarray[object]
 Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
 External documentation
 Hide indices_boost attribute Show indices_boost attribute object
 *number Additional properties
 docvalue_fieldsarray[object]
 An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
 A reference to a field with formatting instructions on how to return the value
 External documentation
 Hide docvalue_fields attributes Show docvalue_fields attributes object
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 formatstring
 The format in which the values are returned.
 include_unmappedboolean
 knnobject | array[object]
 The approximate kNN search to run.
 One of:
 KnnSearchobject array-2array[object]
 Hide attributes Show attributes
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 query_vectorarray[number]
 query_vector_builderobject
 knumber
 The final number of nearest neigrs to return as top hits
 num_candidatesnumber
 The number of nearest neigr candidates to consider per shard
 boostnumber
 Boost value to apply to kNN scores
 filter
 similaritynumber
 The minimum similarity for a vector to be considered a match
 inner_hitsobject
 rescore_vectorobject
 External documentation
 rankobject
 Hide rank attribute Show rank attribute object
 rrfobject
 min_scorenumber
 The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
 post_filterobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 External documentation
 profileboolean
 Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
 queryobject
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 External documentation
 rescoreobject | array[object]
 Can be used to improve precision by reordering just the top (for example 100 - 500) documents returned by the query and post_filter phases.
 One of:
 Rescoreobject array-2array[object]
 retrieverobject
 Hide retriever attributes Show retriever attributes object
 standardobject
 knnobject
 rrfobject
 text_similarity_rerankerobject
 ruleobject
 rescorerobject
 linearobject
 pinnedobject
 script_fieldsobject
 Retrieve a script evaluation (based on different fields) for each hit.
 Hide script_fields attribute Show script_fields attribute object
 *object Additional properties
 Hide * attributes Show * attributes object
 scriptobject Required
 ignore_failureboolean
 search_afterarray[number | string | boolean | null]
 A field value.
 sizenumber
 The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
 sliceobject
 Hide slice attributes Show slice attributes object
 fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 idstring Required
 maxnumber Required
 sortstring | object | array[string | object]
 One of:
 Fieldstring SortOptionsobject Sortarray[string | object]
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 _sourceboolean | object
 Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
 One of:
 SourceConfigboolean SourceFilterobject
 fieldsarray[object]
 An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
 A reference to a field with formatting instructions on how to return the value
 Hide fields attributes Show fields attributes object
 fieldstring Required
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 formatstring
 The format in which the values are returned.
 include_unmappedboolean
 suggestobject
 Hide suggest attribute Show suggest attribute object
 textstring
 Global suggest text, to avoid repetition when the same text is used in several suggesters
 terminate_afternumber
 The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
 IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
 If set to 0 (default), the query does not terminate early.
 timeoutstring
 The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
 track_scoresboolean
 If true, calculate and return document scores, even if the scores are not used for sorting.
 versionboolean
 If true, the request returns the document version as part of a hit.
 seq_no_primary_termboolean
 If true, the request returns sequence number and primary term of the last modification of each hit.
 External documentation
 stored_fieldsstring | array[string]
 pitobject
 Hide pit attributes Show pit attributes object
 idstring Required
 keep_alivestring
 A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
 runtime_mappingsobject
 Hide runtime_mappings attribute Show runtime_mappings attribute object
 *object Additional properties
 Hide * attributes Show * attributes object
 fieldsobject
 For type composite
 fetch_fieldsarray[object]
 For type lookup
 formatstring
 A custom format for date type runtime fields.
 input_fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 target_fieldstring
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 target_indexstring
 scriptobject
 typestring Required
 Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
 statsarray[string]
 The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
 idstring
- searchobject
 Hide search attributes Show search attributes object
 requestobject Required
 Hide request attributes Show request attributes object
 bodyobject
 Hide body attribute Show body attribute object
 queryobject Required
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 External documentation
 indicesarray[string]
 indices_optionsobject
 Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
 Hide indices_options attributes Show indices_options attributes object
 allow_no_indicesboolean
 If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
 expand_wildcardsstring | array[string]
 ignore_unavailableboolean
 If true, missing or closed indices are not included in the response.
 ignore_throttledboolean
 If true, concrete, expanded or aliased indices are ignored when frozen.
 search_typestring
 Values are query_then_fetch or dfs_query_then_fetch.
 templateobject
 Hide template attributes Show template attributes object
 explainboolean
 idstring
 paramsobject
 Hide params attribute Show params attribute object
 *object Additional properties
 profileboolean
 sourcestring
 An inline search template. Supports the same parameters as the search API's request body. Also supports Mustache variables. If no id is specified, this parameter is required.
 rest_total_hits_as_intboolean
 timeoutstring Required
 A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
triggerobject
Hide trigger attribute Show trigger attribute object
- scheduleobject
  Hide schedule attributes Show schedule attributes object
  timezonestring
  cronstring
  dailyobject
  Hide daily attribute Show daily attribute object
  atarray[string | object] Required
  A time of day, expressed either as hh:mm, noon, midnight, or an hour/minutes structure.
  A time of day, expressed either as hh:mm, noon, midnight, or an hour/minutes structure.
  One of:
  ScheduleTimeOfDaystring HourAndMinuteobject
  hourlyobject
  Hide hourly attribute Show hourly attribute object
  minutearray[number] Required
  intervalstring
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  monthlyobject | array[object]
  One of:
  TimeOfMonthobject array-2array[object]
  Hide attributes Show attributes object
  atarray[string] Required
  onarray[number] Required
  weeklyobject | array[object]
  One of:
  TimeOfWeekobject array-2array[object]
  Hide attributes Show attributes object
  atarray[string] Required
  onarray[string] Required
  Values are sunday, monday, tuesday, wednesday, thursday, friday, or saturday.
  yearlyobject | array[object]
  One of:
  TimeOfYearobject array-2array[object]
  Hide attributes Show attributes object
  atarray[string] Required
  intarray[string] Required
  Values are january, february, march, april, may, june, july, august, september, october, november, or december.
  onarray[number] Required

Run `PUT _watcher/watch/my-watch` add a watch. The watch schedule triggers every minute. The watch search input looks for any 404 HTTP responses that occurred in the last five minutes. The watch condition checks if any search hits where found. When found, the watch action sends an email to an administrator.

{
  "trigger" : {
    "schedule" : { "cron" : "0 0/1 * * * ?" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [
          "logstash*"
        ],
        "body" : {
          "query" : {
            "bool" : {
              "must" : {
                "match": {
                  "response": 404
                }
              },
              "filter" : {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_admin" : {
      "email" : {
        "to" : "[email protected]",
        "subject" : "404 recently encountered"
      }
    }
  }
}

Path parameters

Query parameters

Body

langstring

sourcestring | object

sourcestring | object

bccstring | array[string]

ccstring | array[string]

reply_tostring | array[string]

sent_datestring | number

tostring | array[string] Required

langstring

sourcestring | object

sourcestring | object

monthlyobject | array[object]

weeklyobject | array[object]

yearlyobject | array[object]

Responses