Version: 7.x-36.0.0

This is a technical preview. Technical preview features are not fully supported, may not be functionally complete, and are not suitable for deployment in production. We encourage you to try them out and provide your feedback, good and bad, on the Search Guard forum. This will help us improve and add any features you might be missing.

Activate/Deactivate Watch API


PUT /_signals/watch/{watch_id}/_activate
PUT /_signals/watch/{watch_id}/_deactivate

These endpoints can be used to activate and deactivate watches. Inactive watches are not automatically executed.

Path Parameters

{watch_id} The id of the watch to be activated or deactivated. Required.

Request Body

No request body is required for this endpoint.


200 OK

A watch identified by the given id exists and was successfully activated or deactivated.

403 Forbidden

The user does not have the permission to activate or deactivate watches for the currently selected tenant.

404 Not found

A watch with the given id does not exist for the current tenant.

The status 404 is also returned if the tenant specified by the sg_tenant request header does not exist.

Multi Tenancy

The watch REST API is tenant-aware. Each Signals tenant has its own separate set of watches. The HTTP request header sg_tenant can be used to specify the tenant to be used. If the header is absent, the default tenant is used.


For being able to access the endpoint, the user needs to have the privilege cluster:admin:searchguard:tenant:signals:watch/activate_deactivate for the currently selected tenant.

This permission is distinct for the permission required to create or updated watches. Thus, a user may be allowed to activate or deactivate watches without being allowed to create or update watches.

This permission is included in the following built-in action groups:




PUT /_signals/watch/bad_weather/_deactivate


200 OK

Not what you were looking for? Try the search.