[E&A] Checks intro pieces and inputs.

Author: szabosteve

explore-analyze/alerts-cases/watcher.md

@@ -10,7 +10,7 @@ mapped_urls:
 # Watcher
 
 ::::{tip}
-{{kib}} Alerting provides a set of built-in actions and alerts that are integrated with applications such as APM, Metrics, Security, and Uptime. You can use {{kib}} Alerting to detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. For more information, see [Alerting and actions](../alerts-cases.md).
+{{kib}} Alerting provides a set of built-in actions and alerts that are integrated with applications such as APM, Metrics, Security, and Uptime. You can use {{kib}} Alerting to detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. For more information, refer to [Alerts and Cases](../alerts-cases.md).
 ::::
 
 You can use Watcher to watch for changes or anomalies in your data and perform the necessary actions in response. For example, you might want to:
@@ -46,17 +46,3 @@ Actions
 :   One or more actions, such as sending email, pushing data to 3rd party systems through a webhook, or indexing the results of the query.
 
 A full history of all watches is maintained in an Elasticsearch index. This history keeps track of each time a watch is triggered and records the results from the query, whether the condition was met, and what actions were taken.
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$watcher-create-advanced-watch$$$
-
-$$$ec-cloud-email-service-limits$$$
-
-$$$ec-watcher-custom-mail-server$$$
-
-$$$watcher-create-threshold-alert$$$
-
-$$$watcher-deactivate$$$
-
-$$$watcher-getting-started$$$

explore-analyze/alerts-cases/watcher/enable-watcher.md

@@ -1,11 +1,9 @@
 # Enable Watcher [enable-watcher]
 
 ::::{note}
-If you are looking for Kibana alerting, check [Alerting and Actions](../../../explore-analyze/alerts-cases.md) in the Kibana Guide.
+If you are looking for Kibana alerting, check [Alerts and Cases](../../../explore-analyze/alerts-cases.md).
 ::::
 
-Watcher lets you take action based on changes in your data. It is designed around the principle that, if you can query something in Elasticsearch, you can alert on it. Simply define a query, condition, schedule, the actions to take, and Watcher will do the rest.
-
 Watcher can be enabled when configuring your cluster. You can run Alerting on a separate cluster from the cluster whose data you are actually watching.
 
 ## Before you begin [watcher-before-you-begin]
@@ -20,7 +18,7 @@ To learn more about Kibana alerting and how to use it, check [Alerting and Actio
 
 ## Send alerts by email [watcher-allowlist]
 
-Alerting can send alerts by email. You can configure notifications similar to the [operational emails](../../../deploy-manage/cloud-organization/operational-emails.md) that Elasticsearch Service sends automatically to alert you about performance issues in your clusters.
+You can configure notifications similar to the [operational emails](../../../deploy-manage/cloud-organization/operational-emails.md) that Elasticsearch Service sends automatically to alert you about performance issues in your clusters.
 
 Watcher in Elastic Cloud is preconfigured with an email service and can be used without any additional configuration. Alternatively, a custom mail server can be configured as described in [Configuring a custom mail server](../../../explore-analyze/alerts-cases/watcher.md#ec-watcher-custom-mail-server)
 

explore-analyze/alerts-cases/watcher/encrypting-data.md

@@ -13,10 +13,9 @@ To encrypt sensitive data in {{watcher}}:
 
 1. Use the [elasticsearch-syskeygen](https://www.elastic.co/guide/en/elasticsearch/reference/current/syskeygen.html) command to create a system key file.
 2. Copy the `system_key` file to all of the nodes in your cluster.
-
-    ::::{important} 
-    The system key is a symmetric key, so the same key must be used on every node in the cluster.
-    ::::
+   ::::{important}
+   The system key is a symmetric key, so the same key must be used on every node in the cluster.
+   ::::
 
 3. Set the [`xpack.watcher.encrypt_sensitive_data` setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/notification-settings.html):
 
@@ -34,8 +33,6 @@ To encrypt sensitive data in {{watcher}}:
 
 5. Delete the `system_key` file on each node in the cluster.
 
-::::{note} 
+::::{note}
 Existing watches are not affected by these changes. Only watches that you create after following these steps have encryption enabled.
 ::::
-
-

explore-analyze/alerts-cases/watcher/input-chain.md

@@ -4,11 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/input-chain.html
 ---
 
-
-
 # Chain input [input-chain]
 
-
 Use the `chain` input to load data from multiple sources into the watch execution context when the watch is triggered. The inputs in a chain are processed in order and the data loaded by an input can be accessed by the subsequent inputs in the chain.
 
 The `chain` input enables you to perform actions based on data from multiple sources. You can also use the data collected by one input to load data from another source.
@@ -43,12 +40,10 @@ For example, the following chain input loads data from an HTTP server using the
 1. The inputs in a chain are specified as an array to guarantee the order in which the inputs are processed. (JSON does not guarantee the order of arbitrary objects.)
 2. Loads the `path` set by the `first` input.
 
-
 ## Accessing chained input data [_accessing_chained_input_data]
 
 To reference data loaded by a particular input, you use the input’s name, `ctx.payload.<input-name>.<value>`.
 
-
 ## Transforming chained input data [_transforming_chained_input_data]
 
 In certain use-cases the output of the first input should be used as input in a subsequent input. This requires you to do a transform, before you pass the data on to the next input.

explore-analyze/alerts-cases/watcher/input-http.md

@@ -4,11 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/input-http.html
 ---
 
-
-
 # HTTP input [input-http]
 
-
 Use the `http` input to submit a request to an HTTP endpoint and load the response into the watch execution context when the watch is triggered. See [HTTP input attributes](#http-input-attributes) for all of the supported attributes.
 
 With the `http` input, you can:
@@ -48,7 +45,6 @@ You can use the full Elasticsearch [Query DSL](../../query-filter/languages/quer
 }
 ```
 
-
 ## Calling Elasticsearch APIs [_calling_elasticsearch_apis]
 
 To load the data from other Elasticsearch APIs, specify the API endpoint as the `path` attribute. Use the `params` attribute to specify query string parameters. For example, the following `http` input calls the [cluster stats](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-stats.html) API and enables the `human` attribute:
@@ -70,8 +66,6 @@ To load the data from other Elasticsearch APIs, specify the API endpoint as the
 
 1. Enabling this attribute returns the `bytes` values in the response in human readable format.
 
-
-
 ## Calling external web services [input-http-auth-basic-example]
 
 You can use `http` input to get data from any external web service. The `http` input supports basic authentication. For example, the following input provides a username and password to access `myservice`:
@@ -131,8 +125,6 @@ You can also call an API using a `Bearer token` instead of basic authentication.
 }
 ```
 
-
-
 ## Using templates [_using_templates_2]
 
 The `http` input supports templating. You can use [templates](how-watcher-works.md#templates) when specifying the `path`, `body`, header values, and parameter values.
@@ -152,7 +144,6 @@ For example, the following snippet uses templates to specify what index to query
   }
 ```
 
-
 ## Accessing the HTTP response [_accessing_the_http_response]
 
 If the response body is formatted in JSON or YAML, it is parsed and loaded into the execution context. If the response body is not formatted in JSON or YAML, it is loaded into the payload’s `_value` field.
@@ -161,7 +152,6 @@ Conditions, transforms, and actions access the response data through the executi
 
 In addition all the headers from the response can be accessed using the `ctx.payload._headers` field as well as the HTTP status code of the response using `ctx.payload._status_code`.
 
-
 ## HTTP input attributes [http-input-attributes]
 
 | Name | Required | Default | Description |
@@ -193,5 +183,3 @@ You can reference the following variables in the execution context when specifyi
 | `ctx.trigger.triggered_time` | The time this watch was triggered. |
 | `ctx.trigger.scheduled_time` | The time this watch was supposed to be triggered. |
 | `ctx.metadata.*` | Any metadata associated with the watch. |
-
-

explore-analyze/alerts-cases/watcher/input-search.md

@@ -4,11 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/input-search.html
 ---
 
-
-
 # Search input [input-search]
 
-
 Use the `search` input to load the results of an Elasticsearch search request into the execution context when the watch is triggered. See [Search Input Attributes](#search-input-attributes) for all of the supported attributes.
 
 In the search input’s `request` object, you specify:
@@ -74,7 +71,6 @@ For example, the following input loads only the total number of hits into the wa
   },
 ```
 
-
 ## Using Templates [_using_templates]
 
 The `search` input supports [search templates](../../../solutions/search/search-templates.md). For example, the following snippet references the indexed template called `my_template` and passes a value of 23 to fill in the template’s `value` parameter:
@@ -98,7 +94,6 @@ The `search` input supports [search templates](../../../solutions/search/search-
 }
 ```
 
-
 ## Applying conditions [_applying_conditions]
 
 The `search` input is often used in conjunction with the [`script`](condition-script.md) condition. For example, the following snippet adds a condition to check if the search returned more than five hits:
@@ -122,7 +117,6 @@ The `search` input is often used in conjunction with the [`script`](condition-sc
 }
 ```
 
-
 ## Accessing the search results [_accessing_the_search_results]
 
 Conditions, transforms, and actions can access the search results through the watch execution context. For example:
@@ -132,12 +126,10 @@ Conditions, transforms, and actions can access the search results through the wa
 * To access a particular hit, use its zero-based array index. For example, to get the third hit, use `ctx.payload.hits.hits.2`.
 * To get a field value from a particular hit, use `ctx.payload.hits.hits.<index>.fields.<fieldname>`. For example, to get the message field from the first hit, use `ctx.payload.hits.hits.0.fields.message`.
 
-::::{note} 
+::::{note}
 The total number of hits in the search response is returned as an object in the response. It contains a `value`, the number of hits, and a `relation` that indicates if the value is accurate (`"eq"`) or a lower bound of the total hits that match the query (`"gte"`). You can set `track_total_hits` to true in the search request to tell Elasticsearch to always track the number of hits accurately.
 ::::
 
-
-
 ## Search Input Attributes [search-input-attributes]
 
 | Name | Required | Default | Description |
@@ -161,5 +153,3 @@ You can reference the following variables in the execution context when specifyi
 | `ctx.trigger.triggered_time` | The time this watch was triggered. |
 | `ctx.trigger.scheduled_time` | The time this watch was supposed to be triggered. |
 | `ctx.metadata.*` | Any metadata associated with the watch. |
-
-

explore-analyze/alerts-cases/watcher/input-simple.md

@@ -4,11 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/input-simple.html
 ---
 
-
-
 # Simple input [input-simple]
 
-
 Use the `simple` input to load static data into the execution context when the watch is triggered. This enables you to store the data centrally and reference it with templates.
 
 You can define the static data as a string (`str`), numeric value (`num`), or an object (`obj`):
@@ -50,4 +47,3 @@ For example, the following watch uses the `simple` input to set the recipient na
   }
 }
 ```
-

explore-analyze/alerts-cases/watcher/input.md

@@ -4,11 +4,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/input.html
 ---
 
-
-
 # Inputs [input]
 
-
 When a watch is triggered, its *input* loads data into the execution context. This payload is accessible during the subsequent watch execution phases. For example, you can base a watch’s condition on the data loaded by its input.
 
 {{watcher}} supports four input types:
@@ -18,12 +15,6 @@ When a watch is triggered, its *input* loads data into the execution context. Th
 * [`http`](input-http.md): load the results of an HTTP request into the execution context.
 * [`chain`](input-chain.md): use a series of inputs to load data into the execution context.
 
-::::{note} 
+::::{note}
 If you don’t define an input for a watch, an empty payload is loaded into the execution context.
 ::::
-
-
-
-
-
-

explore-analyze/alerts-cases/watcher/watcher-getting-started.md

@@ -5,15 +5,13 @@ mapped_pages:
 
 # Getting started with Watcher [watcher-getting-started]
 
-$$$watch-log-data$$$
 To set up a watch to start sending alerts:
 
 * [Schedule the watch and define an input](#log-add-input).
 * [Add a condition](#log-add-condition) that checks to see if an alert needs to be sent.
 * [Configure an action](#log-take-action) to send an alert when the condition is met.
 
-
-## Schedule the watch and define an input [log-add-input] 
+## Schedule the watch and define an input [log-add-input]
 
 A watch [schedule](trigger-schedule.md) controls how often a watch is triggered. The watch [input](input.md) gets the data that you want to evaluate.
 
@@ -56,8 +54,7 @@ GET .watcher-history*/_search?pretty
 }
 ```
 
-
-## Add a condition [log-add-condition] 
+## Add a condition [log-add-condition]
 
 A [condition](condition.md) evaluates the data you’ve loaded into the watch and determines if any action is required. Now that you’ve loaded log errors into the watch, you can define a condition that checks to see if any errors were found.
 
@@ -87,7 +84,6 @@ PUT _watcher/watch/log_error_watch
 
 1. The [compare](condition-compare.md) condition lets you easily compare against values in the execution context.
 
-
 For this compare condition to evaluate to `true`, you need to add an event to the `logs` index that contains an error. For example, the following request adds a 404 error to the `logs` index:
 
 ```console
@@ -116,8 +112,7 @@ GET .watcher-history*/_search?pretty
 }
 ```
 
-
-## Configure an action [log-take-action] 
+## Configure an action [log-take-action]
 
 Recording watch records in the watch history is nice, but the real power of {{watcher}} is being able to do something when the watch condition is met. A watch’s [actions](actions.md) define what to do when the watch condition evaluates to `true`. You can send emails, call third-party webhooks, write documents to an Elasticsearch index, or log messages to the standard Elasticsearch log files.
 
@@ -152,8 +147,7 @@ PUT _watcher/watch/log_error_watch
 }
 ```
 
-
-## Delete the Watch [log-delete] 
+## Delete the Watch [log-delete]
 
 Since the `log_error_watch` is configured to run every 10 seconds, make sure you delete it when you’re done experimenting. Otherwise, the noise from this sample watch will make it hard to see what else is going on in your watch history and log file.
 
@@ -163,17 +157,14 @@ To remove the watch, use the [delete watch API](https://www.elastic.co/guide/en/
 DELETE _watcher/watch/log_error_watch
 ```
 
-
-## Required security privileges [required-security-privileges] 
+## Required security privileges [required-security-privileges]
 
 To enable users to create and manipulate watches, assign them the `watcher_admin` security role. Watcher admins can also view watches, watch history, and triggered watches.
 
 To allow users to view watches and the watch history, assign them the `watcher_user` security role. Watcher users cannot create or manipulate watches; they are only allowed to execute read-only watch operations.
 
-
-## Where to go next [next-steps] 
+## Where to go next [next-steps]
 
 * See [*How {{watcher}} works*](how-watcher-works.md) for more information about the anatomy of a watch and the watch lifecycle.
 * See [*Example watches*](example-watches.md) for more examples of setting up a watch.
 * See the [Example Watches](https://github.com/elastic/examples/tree/master/Alerting) in the Elastic Examples repo for additional sample watches you can use as a starting point for building custom watches.
-

explore-analyze/alerts-cases/watcher/watcher-ui.md

@@ -1,20 +1,18 @@
 # Watcher UI [watcher-ui]
 
-Watcher is an {{es}} feature that you can use to create actions based on conditions, which are periodically evaluated using queries on your data. Watches are helpful for analyzing mission-critical and business-critical streaming data. For example, you might watch application logs for performance outages or audit access logs for security threats.
-
 Go to the **Watcher** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). With this UI, you can:
 
-* [Create a simple threshold watch](../../../explore-analyze/alerts-cases/watcher.md#watcher-create-threshold-alert)
-* [View your watch history and action status](../../../explore-analyze/alerts-cases/watcher.md#watcher-getting-started)
-* [Deactivate and delete a watch](../../../explore-analyze/alerts-cases/watcher.md#watcher-deactivate)
-* [Create an advanced watch using API syntax](../../../explore-analyze/alerts-cases/watcher.md#watcher-create-advanced-watch)
+* [Create a simple threshold watch](#watcher-create-threshold-alert)
+* [View your watch history and action status](#watcher-getting-started)
+* [Deactivate and delete a watch](#watcher-deactivate)
+* [Create an advanced watch using API syntax](#watcher-create-advanced-watch)
 
 ![Watcher list](../../../images/kibana-watches.png "")
 
 [Alerting on cluster and index events](../../../explore-analyze/alerts-cases/watcher.md) is a good source for detailed information on how watches work. If you are using the UI to create a threshold watch, take a look at the different watcher actions. If you are creating an advanced watch, you should be familiar with the parts of a watch—input, schedule, condition, and actions.
 
 ::::{note}
-There are limitations in **Watcher** that affect {{kib}}. For information, refer to [Alerting](../../../explore-analyze/alerts-cases/watcher/watcher-limitations.md).
+There are limitations in **Watcher** that affect {{kib}}. For information, refer to [Limitations](watcher-limitations.md).
 ::::
 
 ## Watcher security [watcher-security]
@@ -146,5 +144,5 @@ After starting the simulation, you’ll see a results screen. For more informati
 
 Refer to these examples for creating an advanced watch:
 
-* [Watch the status of an {{es}} cluster](../../../explore-analyze/alerts-cases/watcher/watch-cluster-status.md)
-* [Watch event data](https://www.elastic.co/guide/en/elasticsearch/reference/current/example-watches.html)
+* [Watch the status of an {{es}} cluster](watch-cluster-status.md)
+* [Watch event data](example-watches.md)