Version: 7.x-36.0.0

This is a technical preview. Technical preview features are not fully supported, may not be functionally complete, and are not suitable for deployment in production. We encourage you to try them out and provide your feedback, good and bad, on the Search Guard forum. This will help us improve and add any features you might be missing.

Search input

A search input can be used to pull in data from an Elasticsearch index.

You can use the full power of the Elasticsearch query syntax to query, filter and aggregate your data.

Example:

{
	"type": "search",
	"name": "Audit log events",
	"target": "auditlog",
	"request": {
		"indices": [
			"audit*"
		],
		"body": {
			"size": 5,
			"query": {
				"bool": {
					"must": [{
							"match": {
								"audit_category": {
									"query": "FAILED_LOGIN"
								}
							}
						},
						{
							"range": {
								"@timestamp": {
									"gte": "now-5m"
								}
							}
						}
					]
				}
			},
			"aggs": {
				"failed_logins": {
					"terms": {
						"field": "audit_request_effective_user.keyword"
					}
				}
			}
		}
	}
}
Name Description
type search, defines this input as a search on Elasticsearcgh
target the name under which the data is available in later execution steps.
request The search request to execute
request.indices The indices to execute the request.query against. The user that defines the watch needs to have a role that has access to the specified index / indices.
request.body The body of the search request. You can use all features of the Elasticsearch query and aggregation DSL here. All attributes of the request body can be dynamically defined using Mustache templates.

Not what you were looking for? Try the search.