Create a rule
This API creates a rule with a specific rule identifier. If you omit the identifer, it is automatically generated. To create a rule, you must have all
privileges for the appropriate Kibana features, depending on the consumer
and rule_type_id
of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read
privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
Path parameters
-
An UUID v1 or v4 identifier for the rule. If you omit this parameter, an identifier is randomly generated.
Body object Required
The properties vary depending on the rule type.
A rule that checks if the anomaly detection job results contain anomalies that match the rule conditions.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an anomaly detection rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.ml.anomaly_detection_alert
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
An rule that monitors job health and alerts if an operational issue occurred that may prevent the job from detecting anomalies.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an anomaly detection jobs health rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.ml.anomaly_detection_jobs_health
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when either the latency, throughput, or failed transaction rate of a service is anomalous.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
The anomaly threshold value
Values are
critical
,major
,minor
, orwarning
. -
The environment from APM
-
serviceName string
The service name from APM
-
transactionType string
The transaction type from APM
-
The window size
-
The window size unit
Values are
m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
apm.anomaly
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the number of errors in a service exceeds a defined threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
The environment from APM
-
errorGroupingKey string
-
groupBy array[string]
Values are
service.name
,service.environment
,transaction.name
, orerror.grouping_key
. Default value is["service.name", "service.environment"]
. -
serviceName string
The service name from APM
-
The error count threshold value
-
The window size
-
The window size unit
Values are
m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
apm.error_rate
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the latency of a specific transaction type in a service exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
Values are
avg
,95th
, or99th
. -
groupBy array[string]
Values are
service.name
,service.environment
,transaction.type
, ortransaction.name
. Default value is["service.name", "service.environment", "transaction.type"]
. -
serviceName string
The service name from APM
-
The latency threshold value
-
transactionName string
The transaction name from APM
-
transactionType string
The transaction type from APM
-
The window size
-
ç
Values are
m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
apm.transaction_duration
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that sends notifications when the rate of transaction errors in a service exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
The environment from APM
-
groupBy array[string]
Values are
service.name
,service.environment
,transaction.type
, ortransaction.name
. Default value is["service.name", "service.environment", "transaction.type"]
. -
serviceName string
The service name from APM
-
The error rate threshold value
-
transactionName string
The transaction name from APM
-
transactionType string
The transaction type from APM
-
The window size
-
The window size unit
Values are
m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
apm.transaction_error_rate
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that runs a user-configured query, compares the number of matches to a configured threshold, and schedules actions to run when the threshold condition is met.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. params object Required
One of: The parameters for an Elasticsearch query rule that uses ES|QL to define the query. This functionality is in technical pre view and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Hide attributes Show attributes
-
aggField string
The name of the numeric field that is used in the aggregation. This property is required when
aggType
isavg
,max
,min
orsum
. -
aggType string
The type of aggregation to perform.
Values are
avg
,count
,max
,min
, orsum
. Default value iscount
. -
Hide esqlQuery attribute Show esqlQuery attribute object
-
The query definition, which uses Elasticsearch Query Language.
-
-
excludeHitsFromPreviousRun boolean
Indicates whether to exclude matches from previous runs. If
true
, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. -
groupBy string
Indicates whether the aggregation is applied over all documents (
all
) or split into groups (top
) using a grouping field (termField
). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up totermSize
number of groups) are checked.Values are
all
ortop
. Default value isall
. -
The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).
Value is
esqlQuery
. -
When
searchType
isesqlQuery
, this property is required but it does not affect the rule behavior. -
termSize integer
This property is required when
groupBy
istop
. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. -
The threshold value that is used with the
thresholdComparator
. WhensearchType
isesqlQuery
, this property is required and must be set to zero.Minimum value of each is
0
, maximum value of each is0
. -
The comparison function for the threshold. When
searchType
isesqlQuery
, this property is required and must be set to ">". Since thethreshold
value must be0
, the result is that an alert occurs whenever the query returns results.Value is
>
. -
timeField string
The field that is used to calculate the time window.
-
The size of the time window (in
timeWindowUnit
units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. -
The type of units for the time window: seconds, minutes, hours, or days.
Values are
s
,m
,h
, ord
.
The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
Hide attributes Show attributes
-
aggField string
The name of the numeric field that is used in the aggregation. This property is required when
aggType
isavg
,max
,min
orsum
. -
aggType string
The type of aggregation to perform.
Values are
avg
,count
,max
,min
, orsum
. Default value iscount
. -
excludeHitsFromPreviousRun boolean
Indicates whether to exclude matches from previous runs. If
true
, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. -
groupBy string
Indicates whether the aggregation is applied over all documents (
all
) or split into groups (top
) using a grouping field (termField
). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up totermSize
number of groups) are checked.Values are
all
ortop
. Default value isall
. -
searchConfiguration object
The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
Hide searchConfiguration attributes Show searchConfiguration attributes object
-
The type of query, in this case a text-based query that uses KQL or Lucene.
Value is
searchSource
. -
The number of documents to pass to the configured actions when the threshold condition is met.
-
termSize integer
This property is required when
groupBy
istop
. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. -
The threshold value that is used with the
thresholdComparator
. If thethresholdComparator
isbetween
ornotBetween
, you must specify the boundary values. -
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
Values are
>
,>=
,<
,<=
,between
, ornotBetween
. -
timeField string
The field that is used to calculate the time window.
-
The size of the time window (in
timeWindowUnit
units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. -
The type of units for the time window: seconds, minutes, hours, or days.
Values are
s
,m
,h
, ord
.
The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
Hide attributes Show attributes
-
aggField string
The name of the numeric field that is used in the aggregation. This property is required when
aggType
isavg
,max
,min
orsum
. -
aggType string
The type of aggregation to perform.
Values are
avg
,count
,max
,min
, orsum
. Default value iscount
. -
The query definition, which uses Elasticsearch Query DSL.
-
excludeHitsFromPreviousRun boolean
Indicates whether to exclude matches from previous runs. If
true
, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. -
groupBy string
Indicates whether the aggregation is applied over all documents (
all
) or split into groups (top
) using a grouping field (termField
). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up totermSize
number of groups) are checked.Values are
all
ortop
. Default value isall
. index array[string] | string Required
The indices to query.
-
searchType string
The type of query, in this case a query that uses Elasticsearch Query DSL.
Value is
esQuery
. Default value isesQuery
. -
size integer
The number of documents to pass to the configured actions when the threshold condition is met.
-
termSize integer
This property is required when
groupBy
istop
. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. -
The threshold value that is used with the
thresholdComparator
. If thethresholdComparator
isbetween
ornotBetween
, you must specify the boundary values. -
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
Values are
>
,>=
,<
,<=
,between
, ornotBetween
. -
The field that is used to calculate the time window.
-
The size of the time window (in
timeWindowUnit
units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. -
The type of units for the time window: seconds, minutes, hours, or days.
Values are
s
,m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
.es-query
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that runs an Elasticsearch query over indices to determine whether any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an tracking containment rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
.geo-containment
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an index threshold rule.
Hide params attributes Show params attributes object
-
aggField string
The name of the numeric field that is used in the aggregation. This property is required when
aggType
isavg
,max
,min
orsum
. -
aggType string
The type of aggregation to perform.
Values are
avg
,count
,max
,min
, orsum
. Default value iscount
. -
filterKuery string
A KQL expression thats limits the scope of alerts.
-
groupBy string
Indicates whether the aggregation is applied over all documents (
all
) or split into groups (top
) using a grouping field (termField
). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up totermSize
number of groups) are checked.Values are
all
ortop
. Default value isall
. -
The indices to query.
-
termSize integer
This property is required when
groupBy
istop
. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. -
The threshold value that is used with the
thresholdComparator
. If thethresholdComparator
isbetween
ornotBetween
, you must specify the boundary values. -
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
Values are
>
,>=
,<
,<=
,between
, ornotBetween
. -
The field that is used to calculate the time window.
-
The size of the time window (in
timeWindowUnit
units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. -
The type of units for the time window: seconds, minutes, hours, or days.
Values are
s
,m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
.index-threshold
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that sends notifications when a metric has reached or exceeded a value for a specific resource or a group of resources within your infrastructure.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
alertOnNoData boolean
-
criteria array[object]
Hide criteria attributes Show criteria attributes object
-
comparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
customMetric object
Hide customMetric attributes Show customMetric attributes object
-
aggregation string
Values are
avg
,max
,min
, orrate
. -
field string
-
id string
-
label string
-
type string
Value is
custom
.
-
-
metric string
Values are
count
,cpu
,diskLatency
,load
,memory
,memoryTotal
,tx
,rx
,logRate
,diskIOReadBytes
,diskIOWriteBytes
,s3TotalRequests
,s3NumberOfObjects
,s3BucketSize
,s3DownloadBytes
,s3UploadBytes
,rdsConnections
,rdsQueriesExecuted
,rdsActiveTransactions
,rdsLatency
,sqsMessagesVisible
,sqsMessagesDelayed
,sqsMessagesSent
,sqsMessagesEmpty
,sqsOldestMessage
, orcustom
. -
sourceId string
-
threshold array[number]
-
timeSize number
-
timeUnit string
Values are
s
,m
,h
, ord
. -
warningComparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
warningThreshold array[number]
-
-
filterQuery string
-
filterQueryText string
-
nodeType string
Values are
host
,pod
,container
,awsEC2
,awsS3
,awsSQS
, orawsRDS
. -
sourceId string
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
metrics.alert.inventory.threshold
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an infrastructure anomaly rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
metrics.alert.anomaly
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that sends notifications when a metric has reached or exceeded a value for a specific time period.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
alertOnGroupDisappear boolean
-
alertOnNoData boolean
-
criteria array[object]
One of: Hide attributes Show attributes
-
aggType string
Values are
avg
,max
,min
,cardinality
,rate
,count
,sum
,p95
,p99
, orcustom
. -
comparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
metric string
-
threshold array[number]
-
timeSize number
-
timeUnit string
-
warningComparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
warningThreshold array[number]
Hide attributes Show attributes
-
aggType string
Value is
count
. -
comparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
threshold array[number]
-
timeSize number
-
timeUnit string
-
warningComparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
warningThreshold array[number]
Hide attributes Show attributes
-
aggType string
Value is
custom
. -
comparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
customMetric array[object]
-
equation string
-
label string
-
threshold array[number]
-
timeSize number
-
timeUnit string
-
warningComparator string
Values are
<
,<=
,>
,>=
,between
, oroutside
. -
warningThreshold array[number]
-
-
filterQuery string
groupBy string | array[string]
-
sourceId string
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
metrics.alert.threshold
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when a node reports high memory usage.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a JVM memory usage rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_jvm_memory_usage
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when a log aggregation exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. params object Required
One of: Hide attributes Show attributes
-
Hide count attributes Show count attributes object
-
comparator string
Values are
more than
,more than or equals
,less than
,less than or equals
,equals
,does not equal
,matches
,does not match
,matches phrase
, ordoes not match phrase
. -
value number
-
-
criteria array[object]
Hide criteria attributes Show criteria attributes object
-
comparator string
Values are
more than
,more than or equals
,less than
,less than or equals
,equals
,does not equal
,matches
,does not match
,matches phrase
, ordoes not match phrase
. -
field string
value number | string
-
-
groupBy array[string]
-
Values are
s
,m
,h
, ord
.
Hide attributes Show attributes
-
Hide count attributes Show count attributes object
-
comparator string
Values are
more than
,more than or equals
,less than
,less than or equals
,equals
,does not equal
,matches
,does not match
,matches phrase
, ordoes not match phrase
. -
value number
-
-
criteria array[array]
Hide criteria attributes Show criteria attributes object
-
comparator string
Values are
more than
,more than or equals
,less than
,less than or equals
,equals
,does not equal
,matches
,does not match
,matches phrase
, ordoes not match phrase
. -
field string
value number | string
-
-
groupBy array[string]
-
Values are
s
,m
,h
, ord
.
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
logs.alert.document.count
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects cross-cluster replication (CCR) read exceptions.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a CCR read exceptions rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_ccr_read_exceptions
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the health of the cluster changes.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a cluster health rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_cluster_health
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the CPU load for a node is consistently high.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a CPU usage rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_cpu_usage
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the disk usage for a node is consistently high.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a disk usage rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_disk_usage
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the cluster has multipe versions of Elasticsearch.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a Elasticsearch version mismatch rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_elasticsearch_version_mismatch
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the cluster license is about to expire.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a license expiration rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_license_expiration
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the cluster has multiple versions of Kibana.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a Kibana version mismatch rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_kibana_version_mismatch
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the cluster has multiple versions of Logstash.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a Logstash version mismatch rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_logstash_version_mismatch
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when monitoring data is missing.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a missing monitoring data rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_missing_monitoring_data
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when nodes are added, removed, or restarted.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a nodes changed rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_nodes_changed
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the average shard size is larger than a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a shard size rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_shard_size
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the number of rejections in the thread pool exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a thread pool search rejections rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_thread_pool_search_rejections
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the number of rejections in the write thread pool exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a thread pool write rejections rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
monitoring_alert_thread_pool_write_rejections
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that uses Event Query Language (EQL) to match events, generate sequences, and stack data.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an event correlation rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.eqlRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that uses indicators from intelligence sources to detect matching events and alerts.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for an indicator match rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.indicatorRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when a machine learning job discovers an anomaly above the defined threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a machine learning rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.mlRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that finds documents with values that appear for the first time.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a new terms rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.newTermsRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a notification rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.notifications
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that uses KQL or Lucene to detect issues across indices.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a custom query rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.queryRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that searches the defined indices and creates an alert when a document matches the saved search.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a saved query rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.savedQueryRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that aggregates query results to detect when the number of matches exceeds a threshold.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a threshold rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
siem.thresholdRule
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when the burn rate is above a defined threshold for two different lookback periods. The two periods are a long period and a short period that is 1/12th of the long period. For each lookback period, the burn rate is computed as the error rate divided by the error budget. When the burn rates for both periods surpass the threshold, an alert occurs.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
burnRateThreshold number
The burn rate threshold used to trigger the alert
-
longWindow object
The duration of the long window used to compute the burn rate
-
maxBurnRateThreshold number
The maximum burn rate threshold value defined by the SLO error budget
-
shortWindow object
The duration of the short window used to compute the burn rate
-
sloId string
The SLO identifier used by the rule
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
slo.rules.burnRate
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when a monitor is down or an availability threshold is breached.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for the synthetics monitor status rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.synthetics.alerts.monitorStatus
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects response durations for all of the geographic locations of each monitor. When a monitor runs for an unusual amount of time, at a particular time, an anomaly is recorded.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for the uptime duration anomaly rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.uptime.alerts.durationAnomaly
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
certAgeThreshold number
-
certExpirationThreshold number
-
search string
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.uptime.alerts.tls
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects when a monitor has a TLS certificate expiring or when it exceeds an age limit.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a TLS certificate rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.uptime.alerts.tlsCertificate
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that monitors transforms health and alerts if an operational issue occurred.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
The parameters for a transform health rule.
Hide params attribute Show params attribute object
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
transform_health
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
A rule that detects monitor errors and outages.
-
actions array[object] | null
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
The name of the application or feature that owns the rule. For example:
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
enabled boolean
Indicates whether you want to run the rule on an interval basis after it is created.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
Deprecated in 8.13.0. Use the
notify_when
property in the actionfrequency
object instead. Indicates how often alerts generate actions. NOTE: You cannot specifynotify_when
at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Hide params attributes Show params attributes object
-
availability object
filters string | object
One of: Hide attributes Show attributes
-
monitor.type array[string]
-
observer.geo.name array[string]
-
tags array[string]
-
url.port array[string]
-
-
isAutoGenerated boolean
-
search string
-
timerangeCount number
-
timerangeUnit string
-
version number
-
-
The ID of the rule type that you want to call when the rule is scheduled to run.
Value is
xpack.uptime.alerts.monitorStatus
. -
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
tags array[string]
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
Responses
-
200 application/json; Elastic-Api-Version=2023-10-31
Indicates a successful call.
Hide response attributes Show response attributes object
-
Default value is
[]
(empty).Hide actions attributes Show actions attributes object
An action that runs under defined conditions.
-
alerts_filter object
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
Hide alerts_filter attributes Show alerts_filter attributes object
-
query object
Defines a query filter that determines whether the action runs.
Hide query attributes Show query attributes object
-
timeframe object
Defines a period that limits whether the action runs.
Hide timeframe attributes Show timeframe attributes object
-
days array[integer]
Defines the days of the week that the action can run, represented as an array of numbers. For example,
1
represents Monday. An empty array is equivalent to specifying all the days of the week. -
hours object
Defines the range of time in a day that the action can run. If the
start
value is00:00
and theend
value is24:00
, actions be generated all day. -
timezone string
The ISO time zone for the
hours
values. Values such asUTC
andUTC+1
also work but lack built-in daylight savings time support and are not recommended.
-
-
-
connector_type_id string
The type of connector. This property appears in responses but cannot be set in requests.
-
frequency object
The properties that affect how often actions are generated. If the rule type supports setting
summary
totrue
, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters whennotify_when
orthrottle
are defined at the rule level.Hide frequency attributes Show frequency attributes object
-
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
Indicates whether the action is a summary.
-
throttle string | null
The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when
is set toonThrottleInterval
. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default
. -
The identifier for the connector saved object.
-
The parameters for the action, which are sent to the connector. The
params
are handled as Mustache templates and passed a default set of context.Hide params attribute Show params attribute object
-
uuid string
A universally unique identifier (UUID) for the action.
-
-
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Hide alert_delay attribute Show alert_delay attribute object
-
The number of consecutive runs that must meet the rule conditions.
-
-
api_key_created_by_user boolean
Indicates whether the API key that is associated with the rule was created by the user.
-
The owner of the API key that is associated with the rule and used to run background tasks.
-
The application or feature that owns the rule. For example,
alerts
,apm
,discover
,infrastructure
,logs
,metrics
,ml
,monitoring
,securitySolution
,siem
,stackAlerts
, oruptime
. -
The date and time that the rule was created.
-
The identifier for the user that created the rule.
-
Indicates whether the rule is currently enabled.
-
Hide execution_status attributes Show execution_status attributes object
-
last_duration integer
-
last_execution_date string(date-time)
-
status string
-
-
The identifier for the rule.
-
last_run object
Hide last_run attributes Show last_run attributes object
-
alerts_count object
-
outcome string
-
outcome_msg array[string] | null
-
outcome_order integer
-
warning string | null
-
-
The name of the rule.
-
next_run string(date-time) | null
-
notify_when string | null
Indicates how often alerts generate actions.
-
The parameters for the rule.
Hide params attribute Show params attribute object
-
revision integer
The rule revision number.
-
The identifier for the type of rule. For example,
.es-query
,.index-threshold
,logs.alert.document.count
,monitoring_alert_cluster_health
,siem.thresholdRule
, orxpack.ml.anomaly_detection_alert
. -
running boolean
Indicates whether the rule is running.
-
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
Hide schedule attribute Show schedule attribute object
-
interval string
-
-
scheduled_task_id string
-
The tags for the rule.
Default value is
[]
(empty). -
Deprecated in 8.13.0. Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. -
The date and time that the rule was updated most recently.
-
The identifier for the user that updated this rule most recently.
-
-
401 application/json; Elastic-Api-Version=2023-10-31
Authorization information is missing or invalid.
Hide response attributes Show response attributes object
-
error string
Value is
Unauthorized
. -
message string
-
statusCode integer
Value is
401
.
-
-
404 application/json; Elastic-Api-Version=2023-10-31
Object is not found.
Hide response attributes Show response attributes object
-
error string
Value is
Not Found
. -
message string
-
statusCode integer
Value is
404
.
-
curl \
-X POST https://localhost:5601/api/alerting/rule/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 \
-H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
-H "kbn-xsrf: string"
- Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
- Create an Elasticsearch query rule that uses Kibana query language (KQL).
- Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
- Create an index threshold rule.
{
"name": "my Elasticsearch query ESQL rule",
"params": {
"size": 0,
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
],
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query KQL rule",
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query rule",
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"threshold": [
100
],
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
}
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"alert_delay": {
"active": 3
},
"rule_type_id": ".index-threshold"
}
- The create rule API returns a JSON object that contains details about the rule.
- The create rule API returns a JSON object that contains details about the rule.
- The create rule API returns a JSON object that contains details about the rule.
- The create rule API returns a JSON object that contains details about the rule.
{
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"params": {
"size": 0,
"aggType": "count",
"groupBy": "all",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun\"": "true,"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActiveAlert"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "stackAlerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-11-01T19:00:10.453Z",
"created_by": "elastic",
"updated_at": "2023-11-01T19:00:10.453Z",
"updated_by": "elastic\",",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"api_key_created_by_user": false
}
{
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"name": "my Elasticsearch query KQL rule\"",
"tags": [],
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-07-14T20:24:50.729Z",
"created_by": "elastic",
"updated_at": "2023-07-14T20:24:50.729Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"api_key_created_by_user": false
}
{
"id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"name": "my Elasticsearch query rule",
"tags": [],
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"aggType": "count",
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"groupBy": "all",
"threshold": [
100
],
"timeField": "@timestamp",
"searchType": "esQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
},
"connector_type_id": ".server-log"
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-08-22T00:03:38.263Z",
"created_by": "elastic",
"updated_at": "2023-08-22T00:03:38.263Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-08-22T00:03:38.263Z"
},
"scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"api_key_created_by_user": false
}
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-06-08T17:20:31.632Z",
"created_by": "elastic",
"updated_at": "2022-06-08T17:20:31.632Z",
"updated_by": "elastic",
"alert_delay": {
"active": 3
},
"notify_when": null,
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2022-06-08T17:20:31.632Z"
},
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"api_key_created_by_user": false
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Saved object [alert/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}