Index Search Query
Triggers a workflow on every new event based on a target index (mandatory) and a search query (optional).
info
Automations based on this trigger will search for new events every 5 minutes.
Parameters
| Parameter | Description |
|---|---|
| Query | Defines the search using a Query in the Lucene query string syntax.Note: It is not advised to query time elements, as the trigger handles this by default. Querying time elements might interfere with the proper execution of the trigger. |
| Target Index | Comma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams and indices, use * or _all. |
Sample Event
{
"_index": "my-index-000001",
"_id": "0",
"_score": 1.3862942,
"_source": {
"@timestamp": "YYYY-MM-DDTHH:MM:SS.sssZ",
"http": {
"request": {
"method": "get"
},
"response": {
"status_code": 200,
"bytes": 1070000
},
"version": "1.1"
},
"source": {
"ip": "127.0.0.1"
},
"message": "GET /search HTTP/1.1 200 1070000",
"user": {
"id": "kimchy"
}
}
}