Defining alerts
editDefining alerts
editKibana alerts can be created in a variety of apps including APM, Machine Learning, Metrics, Security, Uptime and from Management UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
Create an alert
editWhen you create an alert, you must define the alert details, conditions, and actions.
General alert details
editAll alerts share the following four properties.
- Name
- The name of the alert. While this name does not have to be unique, the name can be referenced in actions and also appears in the searchable alert listing in the management UI. A distinctive name can help identify and find an alert.
- Tags
- A list of tag names that can be applied to an alert. Tags can help you organize and find alerts, because tags appear in the alert listing in the management UI which is searchable by tag.
- Check every
- This value determines how frequently the alert conditions below are checked. Note that the timing of background alert checks are not guaranteed, particularly for intervals of less than 10 seconds. See Alerting for more information.
- Notify
-
This value limits how often actions are repeated when an alert instance remains active across alert checks. See Suppressing duplicate notifications for more information.
- Only on status change: Actions are not repeated when an alert instance remains active across checks. Actions run only when the alert status changes.
- Every time alert is active: Actions are repeated when an alert instance remains active across checks.
- On a custom action interval: Actions are suppressed for the throttle interval, but repeat when an alert instance remains active across checks for a duration longer than the throttle interval.
Alert type and conditions
editDepending upon the Kibana app and context, you may be prompted to choose the type of alert you wish to create. Some apps will pre-select the type of alert for you.
Each alert type provides its own way of defining the conditions to detect, but an expression formed by a series of clauses is a common pattern. Each clause has a UI control that allows you to define the clause. For example, in an index threshold alert the WHEN
clause allows you to select an aggregation operation to apply to a numeric field.
Action type and action details
editTo add an action to an alert, you first select the type of action:
When an alert instance matches a condition, the alert is marked as Active and assigned an action group. The actions in that group are triggered. When the condition is no longer detected, the alert is assigned to the Recovered action group, which triggers any actions assigned to that group.
Run When allows you to assign an action to an action group. This will trigger the action in accordance with your Notify setting.
Each action must specify a connector instance. If no connectors exist for that action type, click Add action to create one.
Each action type exposes different properties. For example an email action allows you to set the recipients, the subject, and a message body in markdown format. See Actions and connectors for details on the types of actions provided by Kibana and their properties.
Action variables
editUsing the Mustache template syntax {{variable name}}
, you can pass alert values at the time a condition is detected to an action. You can access the list of available variables using the "add variable" button. Although available variables differ by alert type, all alert types pass the following variables:
-
alertId
- The ID of the alert.
-
alertName
- The name of the alert.
-
spaceId
- The ID of the space for the alert.
-
tags
- The list of tags applied to the alert.
-
date
- The date the alert scheduled the action, in ISO format.
-
alertInstanceId
- The ID of the alert instance that scheduled the action.
-
alertActionGroup
- The ID of the action group of the alert instance that scheduled the action.
-
alertActionSubgroup
- The action subgroup of the alert instance that scheduled the action.
-
alertActionGroupName
- The name of the action group of the alert instance that scheduled the action.
-
kibanaBaseUrl
-
The configured
server.publicBaseUrl
. If not configured, this will be empty.
Some cases exist where the variable values will be "escaped", when used in a context where escaping is needed:
-
For the Email connector, the
message
action configuration property escapes any characters that would be interpreted as Markdown. -
For the Slack connector, the
message
action configuration property escapes any characters that would be interpreted as Slack Markdown. -
For the Webhook connector, the
body
action configuration property escapes any characters that are invalid in JSON string values.
Mustache also supports "triple braces" of the form {{{variable name}}}
, which indicates no escaping should be done at all. Care should be used when using this form, as it could end up rendering the variable content in such a way as to make the resulting parameter invalid or formatted incorrectly.
Each alert type defines additional variables as properties of the variable context
. For example, if an alert type defines a variable value
, it can be used in an action parameter as {{context.value}}
.
For diagnostic or exploratory purposes, action variables whose values are objects, such as context
, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes {{context}}
, it will expand to the JSON representation of all the variables and values provided by the alert type.
You can attach more than one action. Clicking the "Add action" button will prompt you to select another alert type and repeat the above steps again.
Actions are not required on alerts. You can run an alert without actions to understand its behavior, and then configure actions later.
Manage alerts
editTo modify an alert after it was created, including muting or disabling it, use the alert listing in the Management UI.