From 4de8bcc5168cc6b16fdd6dfa818f587c2960ac95 Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Fri, 8 May 2020 16:25:57 -0400 Subject: [PATCH 1/2] [DOCS] Correct watcher event data example * Updates Logstash index patterns. Logstash indices now default to an ILM-friendly index pattern. * Swaps `*.raw` fields for `*.keyword` fields. The Logstash template uses `keyword` fields by default since 6.x. * Swaps instances of`ctx.payload.hits.total.value` with `ctx.payload.hits.total` --- .../example-watch-meetupdata.asciidoc | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc b/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc index 7883d5289508c..2ae7d81c0cdb4 100644 --- a/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc +++ b/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc @@ -83,8 +83,8 @@ To set up the watch: "search": { "request": { "indices": [ - "", <1> - "" + "", <1> + "" ], "body": { "size": 0, @@ -109,13 +109,13 @@ To set up the watch: "aggs": { "group_by_city": { "terms": { - "field": "group.group_city.raw", <3> + "field": "group.group_city.keyword", <3> "size": 5 }, "aggs": { "group_by_event": { "terms": { - "field": "event.event_url.raw", <4> + "field": "event.event_url.keyword", <4> "size": 5 }, "aggs": { @@ -130,7 +130,7 @@ To set up the watch: "aggs": { "group_by_event_name": { "terms": { - "field": "event.event_name.raw" <6> + "field": "event.event_name.keyword" <6> } } } @@ -146,7 +146,9 @@ To set up the watch: }, ------------------------------------------------- // NOTCONSOLE -<1> Elasticsearch Date math is used to select the Logstash indices that contain the meetup data. The second pattern is needed in case the previous hour crosses days. +<1> These index pattens use <> expressions to match {ls} +indices that contain the meetup data. The second pattern is needed in case the +previous hour crosses days. <2> Find all of the RSVPs with `Open Source` as a topic. <3> Group the RSVPs by city. <4> Consolidate multiple RSVPs for the same event. @@ -159,7 +161,7 @@ To set up the watch: -- [source,js] -------------------------------------------------- -"compare" : { "ctx.payload.hits.total.value" : { "gt" : 0 }} +"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} -------------------------------------------------- // NOTCONSOLE -- @@ -207,8 +209,8 @@ PUT _watcher/watch/meetup "search": { "request": { "indices": [ - "", - "" + "", + "" ], "body": { "size": 0, @@ -233,13 +235,13 @@ PUT _watcher/watch/meetup "aggs": { "group_by_city": { "terms": { - "field": "group.group_city.raw", + "field": "group.group_city.keyword", "size": 5 }, "aggs": { "group_by_event": { "terms": { - "field": "event.event_url.raw", + "field": "event.event_url.keyword", "size": 5 }, "aggs": { @@ -254,7 +256,7 @@ PUT _watcher/watch/meetup "aggs": { "group_by_event_name": { "terms": { - "field": "event.event_name.raw" + "field": "event.event_name.keyword" } } } @@ -270,7 +272,7 @@ PUT _watcher/watch/meetup }, "condition": { "compare": { - "ctx.payload.hits.total.value": { + "ctx.payload.hits.total": { "gt": 0 } } From 2c1d2db588a4b8e65790f4797785fcf94d934206 Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Tue, 12 May 2020 12:25:35 -0400 Subject: [PATCH 2/2] use `logstash` index alias --- .../example-watch-meetupdata.asciidoc | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc b/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc index 2ae7d81c0cdb4..5c6fc8c9973e1 100644 --- a/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc +++ b/x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc @@ -83,8 +83,7 @@ To set up the watch: "search": { "request": { "indices": [ - "", <1> - "" + "logstash" <1> ], "body": { "size": 0, @@ -146,9 +145,13 @@ To set up the watch: }, ------------------------------------------------- // NOTCONSOLE -<1> These index pattens use <> expressions to match {ls} -indices that contain the meetup data. The second pattern is needed in case the -previous hour crosses days. +<1> `logstash` is the default <> for the {ls} +indices containing the meetup data. By default, the {ls} +<> policy rolls this alias to a +new index when the index size reaches 50GB or becomes 30 days old. For more +information, see +{logstash-ref}/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-ilm[{ilm-init} +defaults in Logstash]. <2> Find all of the RSVPs with `Open Source` as a topic. <3> Group the RSVPs by city. <4> Consolidate multiple RSVPs for the same event. @@ -209,8 +212,7 @@ PUT _watcher/watch/meetup "search": { "request": { "indices": [ - "", - "" + "logstash" ], "body": { "size": 0,