Skip to main content
Trigger a workflow on every new event based on a target index and a search query. Endpoint: /{target}/_search
Workflows with this trigger check for new events every 5 minutes by default. You can adjust this interval in the Trigger settings.

Parameters

ParameterDescription
QueryDefine the search using a Query in the Lucene Query String syntax. For more information about the Lucene Query String syntax, refer to Elasticsearch documentation.

Note: Do not query time elements, as the trigger handles them by default. Querying time elements might interfere with the proper execution of the trigger.
Target IndexComma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams and indices, use * or _all.

Sample Event

{
	"_index": "my-index-000001",
	"_id": "0",
	"_score": 1.3862942,
	"_source": {
		"@timestamp": "YYYY-MM-DDTHH:MM:SS.sssZ",
		"http": {
			"request": {
				"method": "get"
			},
			"response": {
				"status_code": 200,
				"bytes": 1070000
			},
			"version": "1.1"
		},
		"source": {
			"ip": "127.0.0.1"
		},
		"message": "GET /search HTTP/1.1 200 1070000",
		"user": {
			"id": "kimchy"
		}
	}
}