Triggers a workflow on every new event based on a target index (mandatory) and a search query (optional).
Workflows based on this trigger will search for new events every 5 minutes.

Parameters

ParameterDescription
QueryDefines the search using a Query in the Lucene query string syntax.
Note: It is not advised to query time elements, as the trigger handles this by default. Querying time elements might interfere with the proper execution of the trigger.
Target IndexComma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams and indices, use * or _all.

Sample Event

{
	"_index": "my-index-000001",
	"_id": "0",
	"_score": 1.3862942,
	"_source": {
		"@timestamp": "YYYY-MM-DDTHH:MM:SS.sssZ",
		"http": {
			"request": {
				"method": "get"
			},
			"response": {
				"status_code": 200,
				"bytes": 1070000
			},
			"version": "1.1"
		},
		"source": {
			"ip": "127.0.0.1"
		},
		"message": "GET /search HTTP/1.1 200 1070000",
		"user": {
			"id": "kimchy"
		}
	}
}