WARNING: Version 6.1 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Create Threshold Alert
editCreate Threshold Alert
editYou can create a threshold alert to periodically check when your data goes above or below a certain threshold within a given time interval. It’s one of the most common type of alerts that you can create using Watcher. For more advanced watches, see the Create Advanced Watch.
To create a new threshold alert:
Next, let’s look at the UI and how to use it.
Inputs & Triggers
editTo create a threshold alert, you need to first configure the inputs and triggers.
-
Add a
name
for the alert. - Choose one or more indices that have a time-based field as the alert input.
- Configure a trigger interval.
Next, you will be able to specify the conditions to trigger the alert.
Condition
editHere, you can configure the condition that will cause alert to trigger. The UI is interactive and selecting the various elements within the expression will display a UI to change the values.
Let’s look at a few examples of common alerts based on x-pack monitoring data:
Here are some specifics of how the visualization works:
-
The time window that is used in the visualization is calculated by taking the duration defined in the expression and multiplying it by 5. So, if you select
FOR THE LAST 5 hours
, the visualization will show data from the last 25 hours. - In the chart, you will see a blue line that represents the aggregated data. There is also a red line that represents the threshold value.
-
If you use the
terms
aggregation to aggregate over a specific field, there will be multiple visualizations available and pagination controls will appear as shown below.
Actions
editHere you can configure the various actions that will occur when the alert fires.
Click Add new action
to trigger a dropdown selection:
Selecting an action will allow you to customize settings for the respective action.
All fields for an alert support using mustache syntax and expose a {{ctx}}
variable which exposes various properties of the alert
The supported actions are:
Note that certain actions require configuration within ES, such as email and slack.