Deprecated 7.x APIs
editDeprecated 7.x APIs
editThese APIs are deprecated and will be removed in a future release.
Legacy create alert API
editDeprecated in 7.13.0.
Use Create rule instead.
Create Kibana alerts.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parameters
edit-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
As part of the Sharing Saved Objects effort, IDs for rules in a custom space will be regenerated in 8.0.0. Rules created prior to 8.0.0 using this API that specify both the id
and space_id
path parameters will be re-assigned a randomly generated ID upon upgrading to 8.0.0.
-
id
- (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
Request body
edit-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
alertTypeId
- (Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.
-
schedule
-
(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under
Schedule Formats.
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the alert should execute. Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
.There are plans to support multiple other schedule formats in the near future.
-
throttle
-
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notifyWhen
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
enabled
- (Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.
-
consumer
- (Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
-
params
-
(Required, object) The parameters to pass to the alert type executor
params
value. This will also validate against the alert type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set this value to
default
. -
id
- (Required, string) The ID of the action saved object to execute.
-
actionTypeId
- (Required, string) The ID of the action type.
-
params
-
(Required, object) The map to the
params
that the action type will receive. ` params` are handled as Mustache templates and passed a default set of context.
-
Response code
edit-
200
- Indicates a successful call.
Example
edit$ curl -X POST api/alerts/alert -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d ' { "params":{ "aggType":"avg", "termSize":6, "thresholdComparator":">", "timeWindowSize":5, "timeWindowUnit":"m", "groupBy":"top", "threshold":[ 1000 ], "index":[ ".test-index" ], "timeField":"@timestamp", "aggField":"sheet.version", "termField":"name.keyword" }, "consumer":"alerts", "alertTypeId":".index-threshold", "schedule":{ "interval":"1m" }, "actions":[ { "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2", "actionTypeId":".server-log", "group":"threshold met", "params":{ "level":"info", "message":"alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" } } ], "tags":[ "cpu" ], "notifyWhen":"onActionGroupChange", "name":"my alert" }'
The API returns the following:
{ "id": "41893910-6bca-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", "termSize": 6, "thresholdComparator": ">", "timeWindowSize": 5, "timeWindowUnit": "m", "groupBy": "top", "threshold": [ 1000 ], "index": [ ".kibana" ], "timeField": "@timestamp", "aggField": "sheet.version", "termField": "name.keyword" }, "consumer": "alerts", "alertTypeId": ".index-threshold", "schedule": { "interval": "1m" }, "actions": [ { "actionTypeId": ".server-log", "group": "threshold met", "params": { "level": "info", "message": "alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" }, "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2" } ], "tags": [ "cpu" ], "name": "my alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T18:03:19.961Z", "createdAt": "2021-02-10T18:03:19.961Z", "scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T18:03:19.966Z", "status": "pending" } }
Legacy delete alert API
editDeprecated in 7.13.0.
Use Delete rule instead.
Permanently remove an alert.
Once you delete an alert, you cannot recover it.
Request
editDELETE <kibana host>:<port>/api/alerts/alert/<id>
DELETE <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parameters
edit-
id
- (Required, string) The ID of the alert that you want to remove.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editDelete an alert with ID:
$ curl -X DELETE api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
Legacy disable alert API
editDeprecated in 7.13.0.
Use Disable rule instead.
Disable an alert.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/_disable
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_disable
Path parameters
edit-
id
- (Required, string) The ID of the alert that you want to disable.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editDisable an alert with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable
Legacy enable alert API
editDeprecated in 7.13.0.
Use Enable rule instead.
Enable an alert.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/_enable
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_enable
Path parameters
edit-
id
- (Required, string) The ID of the alert that you want to enable.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editEnable an alert with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable
Legacy find alerts API
editDeprecated in 7.13.0.
Use Find rules instead.
Retrieve a paginated set of alerts based on condition.
As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
Request
editGET <kibana host>:<port>/api/alerts/_find
GET <kibana host>:<port>/s/<space_id>/api/alerts/_find
Path parameters
edit-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Query Parameters
editAlert params
are stored as a flattened field type and analyzed as keywords.
-
per_page
- (Optional, number) The number of alerts to return per page.
-
page
- (Optional, number) The page number.
-
search
- (Optional, string) An Elasticsearch simple_query_string query that filters the alerts in the response.
-
default_search_operator
-
(Optional, string) The operator to use for the
simple_query_string
. The default is OR. -
search_fields
-
(Optional, array|string) The fields to perform the
simple_query_string
parsed query against. -
fields
-
(Optional, array|string) The fields to return in the
attributes
key of the response. -
sort_field
-
(Optional, string) Sorts the response. Could be an alert fields returned in the
attributes
key of the response. -
sort_order
-
(Optional, string) Sort direction, either
asc
ordesc
. -
has_reference
- (Optional, object) Filters the alerts that have a relations with the reference objects with the specific "type" and "ID".
-
filter
-
(Optional, string) A KQL string that you filter with an attribute from your saved object.
It should look like savedObjectType.attributes.title: "myTitle". However, If you used a direct attribute of a saved object, such as
updatedAt
, you will have to define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
Response code
edit-
200
- Indicates a successful call.
Examples
editFind alerts with names that start with my
:
$ curl -X GET api/alerts/_find?search_fields=name&search=my*
The API returns the following:
{ "page": 1, "perPage": 10, "total": 1, "data": [ { "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "test alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }, ] }
For parameters that accept multiple values (e.g. fields
), repeat the
query parameter for each value:
$ curl -X GET api/alerts/_find?fields=id&fields=name
Legacy get alert API
editDeprecated in 7.13.0.
Use Get rule instead.
Retrieve an alert by ID.
Request
editGET <kibana host>:<port>/api/alerts/alert/<id>
GET <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parameters
edit-
id
- (Required, string) The ID of the alert to retrieve.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editRetrieve the alert object with the ID 41893910-6bca-11eb-9e0d-85d233e3ee35
:
$ curl -X GET api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
The API returns the following:
{ "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "test alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }
Legacy get Alerting framework health API
editDeprecated in 7.13.0.
Use Get Alerting framework health instead.
Retrieve the health status of the Alerting framework.
Request
editGET <kibana host>:<port>/api/alerts/_health
GET <kibana host>:<port>/s/<space_id>/api/alerts/_health
Path parameters
edit-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editRetrieve the health status of the Alerting framework:
$ curl -X GET api/alerts/_health
The API returns the following:
{ "isSufficientlySecure":true, "hasPermanentEncryptionKey":true, "alertingFrameworkHeath":{ "decryptionHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" }, "executionHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" }, "readHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" } } }
The health API response contains the following properties:
|
Returns |
|
Return the state |
|
This state property has three substates that identify the health of the alerting framework API: |
alertingFrameworkHeath
consists of the following properties:
|
Returns the timestamp and status of the alert decryption: |
|
Returns the timestamp and status of the alert execution: |
|
Returns the timestamp and status of the alert reading events: |
Legacy list alert types API
editDeprecated in 7.13.0.
Use List rule types instead.
Retrieve a list of all alert types.
Request
editGET <kibana host>:<port>/api/alerts/list_alert_types
GET <kibana host>:<port>/s/<space_id>/api/alerts/list_alert_types
Path parameters
edit-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
edit$ curl -X GET api/alerts/list_alert_types
The API returns the following:
[ { "id":".index-threshold", "name":"Index threshold", "actionGroups":[ { "id":"threshold met", "name":"Threshold met" }, { "id":"recovered", "name":"Recovered" } ], "recoveryActionGroup":{ "id":"recovered", "name":"Recovered" }, "defaultActionGroupId":"threshold met", "actionVariables":{ "context":[ { "name":"message", "description":"A pre-constructed message for the alert." }, ], "state":[], "params":[ { "name":"threshold", "description":"An array of values to use as the threshold; 'between' and 'notBetween' require two values, the others require one." }, { "name":"index", "description":"index" }, ] }, "producer":"stackAlerts", "minimumLicenseRequired":"basic", "isExportable":true, "enabledInLicense":true, "authorizedConsumers":{ "alerts":{ "read":true, "all":true }, "stackAlerts":{ "read":true, "all":true }, "uptime":{ "read":true, "all":true } } } ]
Each alert type contains the following properties:
|
The descriptive name of the alert type. |
|
The unique ID of the alert type. |
|
The license required to use the alert type. |
|
Whether the rule type is exportable through the Saved Objects Management UI. |
|
Whether the alert type is enabled or disabled based on the license. |
|
An explicit list of groups for which the alert type can schedule actions, each with the action group’s unique ID and human readable name. Alert |
|
An action group to use when an alert instance goes from an active state, to an inactive one. Do not specify this action group under the |
|
The default ID for the alert type group. |
|
An explicit list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. Use |
|
The ID of the application producing this alert type. |
|
The list of the plugins IDs that have access to the alert type. |
Legacy mute alert instance API
editDeprecated in 7.13.0.
Use Mute alert instead.
Mute an alert instance.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute
Path parameters
edit-
id
- (Required, string) The ID of the alert whose instance you want to mute.
-
alert_instance_id
- (Required, string) The ID of the alert instance that you want to mute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editMute alert instance with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute
Legacy mute all alert instances API
editDeprecated in 7.13.0.
Use Mute all alerts instead.
Mute all alert instances.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/_mute_all
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_mute_all
Path parameters
edit-
id
- (Required, string) The ID of the alert whose instances you want to mute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editMute all alert instances with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all
Legacy unmute alert instance API
editDeprecated in 7.13.0.
Use Unmute alert instead.
Unmute an alert instance.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute
Path parameters
edit-
id
- (Required, string) The ID of the alert whose instance you want to mute..
-
alert_instance_id
- (Required, string) The ID of the alert instance that you want to unmute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editUnmute alert instance with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute
Legacy unmute all alert instances API
editDeprecated in 7.13.0.
Use Unmute all alerts instead.
Unmute all alert instances.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>/_unmute_all
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_unmute_all
Path parameters
edit-
id
- (Required, string) The ID of the alert whose instances you want to unmute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response code
edit-
200
- Indicates a successful call.
Example
editUnmute all alert instances with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all
Legacy update alert API
editDeprecated in 7.13.0.
Use Update rule instead.
Update the attributes for an existing alert.
Request
editPUT <kibana host>:<port>/api/alerts/alert/<id>
PUT <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parameters
edit-
id
- (Required, string) The ID of the alert that you want to update.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request body
edit-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
schedule
-
(Required, object) When to run this alert. Use one of the available schedule formats.
Schedule Formats.
A schedule uses a key: value format. Kibana currently supports the Interval format , which specifies the interval in seconds, minutes, hours, or days at which to execute the alert.
Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
. -
throttle
-
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notifyWhen
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
params
-
(Required, object) The parameters to pass to the alert type executor
params
value. This will also validate against the alert type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set the value to
default
. -
id
- (Required, string) The ID of the action that saved object executes.
-
actionTypeId
- (Required, string) The id of the action type.
-
params
-
(Required, object) The map to the
params
that the action type will receive.params
are handled as Mustache templates and passed a default set of context.
-
Response code
edit-
200
- Indicates a successful call.
Example
editUpdate an alert with ID ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
with a different name:
$ curl -X PUT api/alerts/alert/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 { "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "new name", "throttle": null, }
The API returns the following:
{ "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "new name", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }