rule {
//...
params = [
"index": "logstash-*",
"query": [query: [
bool: [
must: [
["range": ["@timestamp": ["gt": lastSeenTimestamp]]],
["match": [ "message": "error" ]]
]
]
]
]
]
reaction { messages -> // All messages that match the query
// Your logic here
}
}
- As a query you can use all power of the search API