Defining alerts

edit

Kibana alerts can be created in a variety of apps including APM, Machine Learning, Metrics, Security, Uptime and from Management UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.

Create an alert

edit

When you create an alert, you must define the alert details, conditions, and actions.

The three sections of an alert definition

General alert details

edit

All alerts share the following four properties.

All alerts have name, tags, check every, and notify properties in common
Name
The name of the alert. While this name does not have to be unique, the name can be referenced in actions and also appears in the searchable alert listing in the management UI. A distinctive name can help identify and find an alert.
Tags
A list of tag names that can be applied to an alert. Tags can help you organize and find alerts, because tags appear in the alert listing in the management UI which is searchable by tag.
Check every
This value determines how frequently the alert conditions below are checked. Note that the timing of background alert checks are not guaranteed, particularly for intervals of less than 10 seconds. See Alerting for more information.
Notify

This value limits how often actions are repeated when an alert instance remains active across alert checks. See Suppressing duplicate notifications for more information.

  • Only on status change: Actions are not repeated when an alert instance remains active across checks. Actions run only when the alert status changes.
  • Every time alert is active: Actions are repeated when an alert instance remains active across checks.
  • On a custom action interval: Actions are suppressed for the throttle interval, but repeat when an alert instance remains active across checks for a duration longer than the throttle interval.

Alert type and conditions

edit

Depending upon the Kibana app and context, you may be prompted to choose the type of alert you wish to create. Some apps will pre-select the type of alert for you.

Choosing the type of alert to create

Each alert type provides its own way of defining the conditions to detect, but an expression formed by a series of clauses is a common pattern. Each clause has a UI control that allows you to define the clause. For example, in an index threshold alert the WHEN clause allows you to select an aggregation operation to apply to a numeric field.

UI for defining alert conditions on an index threshold alert

Action type and action details

edit

To add an action to an alert, you first select the type of action:

UI for selecting an action type

When an alert instance matches a condition, the alert is marked as Active and assigned an action group. The actions in that group are triggered. When the condition is no longer detected, the alert is assigned to the Recovered action group, which triggers any actions assigned to that group.

Run When allows you to assign an action to an action group. This will trigger the action in accordance with your Notify setting.

Each action must specify a connector instance. If no connectors exist for that action type, click Add action to create one.

Each action type exposes different properties. For example an email action allows you to set the recipients, the subject, and a message body in markdown format. See Actions and connectors for details on the types of actions provided by Kibana and their properties.

UI for defining an email action

Action variables

edit

Using the Mustache template syntax {{variable name}}, you can pass alert values at the time a condition is detected to an action. You can access the list of available variables using the "add variable" button. Although available variables differ by alert type, all alert types pass the following variables:

alertId
The ID of the alert.
alertName
The name of the alert.
spaceId
The ID of the space for the alert.
tags
The list of tags applied to the alert.
date
The date the alert scheduled the action, in ISO format.
alertInstanceId
The ID of the alert instance that scheduled the action.
alertActionGroup
The ID of the action group of the alert instance that scheduled the action.
alertActionSubgroup
The action subgroup of the alert instance that scheduled the action.
alertActionGroupName
The name of the action group of the alert instance that scheduled the action.
kibanaBaseUrl
The configured server.publicBaseUrl. If not configured, this will be empty.
Passing alert values to an action

Some cases exist where the variable values will be "escaped", when used in a context where escaping is needed:

  • For the Email connector, the message action configuration property escapes any characters that would be interpreted as Markdown.
  • For the Slack connector, the message action configuration property escapes any characters that would be interpreted as Slack Markdown.
  • For the Webhook connector, the body action configuration property escapes any characters that are invalid in JSON string values.

Mustache also supports "triple braces" of the form {{{variable name}}}, which indicates no escaping should be done at all. Care should be used when using this form, as it could end up rendering the variable content in such a way as to make the resulting parameter invalid or formatted incorrectly.

Each alert type defines additional variables as properties of the variable context. For example, if an alert type defines a variable value, it can be used in an action parameter as {{context.value}}.

For diagnostic or exploratory purposes, action variables whose values are objects, such as context, can be referenced directly as variables. The resulting value will be a JSON representation of the object. For example, if an action parameter includes {{context}}, it will expand to the JSON representation of all the variables and values provided by the alert type.

You can attach more than one action. Clicking the "Add action" button will prompt you to select another alert type and repeat the above steps again.

You can add multiple actions on an alert

Actions are not required on alerts. You can run an alert without actions to understand its behavior, and then configure actions later.

Manage alerts

edit

To modify an alert after it was created, including muting or disabling it, use the alert listing in the Management UI.