elasticsearch/x-pack/docs/en/watcher/example-watches/example-watch-clusterstatus.asciidoc

[role="xpack"]
[[watch-cluster-status]]
=== Watching the status of an Elasticsearch cluster

You can easily configure a basic watch to monitor the health of your
Elasticsearch cluster:

* <<health-add-input,Schedule the watch and define an input>> that gets the
  cluster health status.

* <<health-add-condition,Add a condition>> that evaluates the health status to
  determine if action is required.

* <<health-take-action,Take action>> if the cluster is RED.

[float]
[[health-add-input]]
==== Schedule the watch and add an input

A watch <<trigger-schedule,schedule>> controls how often a watch is triggered.
The watch <<input,input>> gets the data that you want to evaluate.

The simplest way to define a schedule is to specify an interval. For example,
the following schedule runs every 10 seconds:

[source,console]
--------------------------------------------------
PUT _watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" } <1>
  }
}
--------------------------------------------------

<1> Schedules are typically configured to run less frequently. This example sets
    the interval to 10 seconds to you can easily see the watches being triggered.
    Since this watch runs so frequently, don't forget to <<health-delete, delete the watch>>
    when you're done experimenting.

To get the status of your cluster, you can call the Elasticsearch
{ref}//cluster-health.html[cluster health] API:

[source,console]
--------------------------------------------------
GET _cluster/health?pretty
--------------------------------------------------
// TEST[continued]

To load the health status into your watch, you simply add an
<<input-http,HTTP input>> that calls the cluster health API:

[source,console]
--------------------------------------------------
PUT _watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" }
  },
  "input" : {
    "http" : {
      "request" : {
        "host" : "localhost",
        "port" : 9200,
        "path" : "/_cluster/health"
      }
    }
  }
}
--------------------------------------------------

If you're using Security, then you'll also need to supply some authentication
credentials as part of the watch configuration:

[source,console]
--------------------------------------------------
PUT _watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" }
  },
  "input" : {
    "http" : {
      "request" : {
        "host" : "localhost",
        "port" : 9200,
        "path" : "/_cluster/health",
        "auth": {
          "basic": {
            "username": "elastic",
            "password": "x-pack-test-password"
          }
        }
      }
    }
  }
}
--------------------------------------------------

It would be a good idea to create a user with the minimum privileges required
for use with such a watch configuration.

Depending on how your cluster is configured, there may be additional settings
required before the watch can access your cluster such as keystores, truststores,
or certificates. For more information, see <<notification-settings>>.


If you check the watch history, you'll see that the cluster status is recorded
as part of the `watch_record` each time the watch executes.

For example, the following request retrieves the last ten watch records from
the watch history:

[source,console]
--------------------------------------------------
GET .watcher-history*/_search
{
  "sort" : [
    { "result.execution_time" : "desc" }
  ]
}
--------------------------------------------------
// TEST[continued]

[float]
[[health-add-condition]]
==== Add a condition

A <<condition,condition>> evaluates the data you've loaded into the watch and
determines if any action is required. Since you've defined an input that loads
the cluster status into the watch, you can define a condition that checks that
status.

For example, you could add a condition to check to see if the status is RED.

[source,console]
--------------------------------------------------
PUT _watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" } <1>
  },
  "input" : {
    "http" : {
      "request" : {
       "host" : "localhost",
       "port" : 9200,
       "path" : "/_cluster/health"
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.status" : { "eq" : "red" }
    }
  }
}
--------------------------------------------------

<1> Schedules are typically configured to run less frequently. This example sets
    the interval to 10 seconds to you can easily see the watches being triggered.

If you check the watch history, you'll see that the condition result is recorded
as part of the `watch_record` each time the watch executes.

To check to see if the condition was met, you can run the following query.

[source,console]
------------------------------------------------------
GET .watcher-history*/_search?pretty
{
  "query" : {
    "match" : { "result.condition.met" : true }
  }
}
------------------------------------------------------
// TEST[continued]

[float]
[[health-take-action]]
==== Take action

Recording `watch_records` in the watch history is nice, but the real power of
{watcher} is being able to do something in response to an alert. A watch's
<<actions,actions>> define what to do when the watch condition is true--you
can send emails, call third-party webhooks, or write documents to an
Elasticsearch index or log when the watch condition is met.

For example, you could add an action to index the cluster status information
when the status is RED.

[source,console]
--------------------------------------------------
PUT _watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" }
  },
  "input" : {
    "http" : {
      "request" : {
       "host" : "localhost",
       "port" : 9200,
       "path" : "/_cluster/health"
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.status" : { "eq" : "red" }
    }
  },
  "actions" : {
    "send_email" : {
      "email" : {
        "to" : "username@example.org",
        "subject" : "Cluster Status Warning",
        "body" : "Cluster status is RED"
      }
    }
  }
}
--------------------------------------------------

For {watcher} to send email, you must configure an email account in your
`elasticsearch.yml` configuration file and restart Elasticsearch. To add an email
account, set the `xpack.notification.email.account` property.

For example, the following snippet configures a single Gmail account named `work`:

[source,yaml]
----------------------------------------------------------
xpack.notification.email.account:
  work:
    profile: gmail
    email_defaults:
      from: <email> <1>
    smtp:
      auth: true
      starttls.enable: true
      host: smtp.gmail.com
      port: 587
      user: <username> <2>
      password: <password> <3>
----------------------------------------------------------
<1> Replace `<email>` with the email address from which you want to send
    notifications.
<2> Replace `<username>` with your Gmail user name (typically your Gmail address).
<3> Replace `<password>` with your Gmail password.

NOTE:   If you have advanced security options enabled for your email account,
        you need to take additional steps to send email from {watcher}. For more
        information, see <<configuring-email>>.

You can check the watch history or the `status_index` to see that the action was
performed.

[source,console]
-------------------------------------------------------
GET .watcher-history*/_search?pretty
{
  "query" : {
    "match" : { "result.condition.met" : true }
  }
}
-------------------------------------------------------
// TEST[continued]

[float]
[[health-delete]]
==== Delete the watch

Since the `cluster_health_watch` is configured to run every 10 seconds, make
sure you delete it when you're done experimenting. Otherwise, you'll spam yourself
indefinitely.

To remove the watch, use the <<watcher-api-delete-watch,delete watch API>>:

[source,console]
-------------------------------------------------------
DELETE _watcher/watch/cluster_health_watch
-------------------------------------------------------
// TEST[continued]