View alerts
editView alerts
editWhen the conditions of a rule are met, it creates an alert. If the rule has actions, they run at the defined frequency. For example, the rule can send email notifications for each alert at a custom interval. For an introduction to the concepts of rules, alerts, and actions, refer to Alerting.
You can manage the alerts for each rule in Stack Management > Rules. Alternatively, manage all your alerts in Stack Management > Alerts. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
You must have the appropriate Kibana alerting features and index privileges to view alerts. Refer to Alerting security requirements.
Filter alerts
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
In Stack Management > Alerts, you can filter the list (for example, by alert status or rule type) and customize the filter controls. To search for specific alerts, use the KQL bar to create structured queries using Kibana Query Language.
By default, the list contains all the alerts that you have authority to view in the selected time period except those associated with Security rules. To view alerts for Security rules, click the query menu and select Security rule types:
Alternatively, view those alerts in the Elastic Security app.
View alert details
editTo get more information about a specific alert, open its action menu (…) and select View alert details in either Stack Management > Alerts or Rules. There you’ll see the current status of the alert, its duration, and when it was last updated. To help you determine what caused the alert, there is information such as the expected and actual threshold values and a summarized reason for the alert.
If an alert is affected by a maintenance window, the alert details include its identifier. For more information about their impact on alert notifications, refer to Maintenance windows.
Alert statuses
editThere are three common alert statuses:
-
active
- The conditions for the rule are met and actions should be generated according to the notification settings.
-
recovered
- The conditions for the rule are no longer met and recovery actions should be generated.
-
untracked
- Actions are no longer generated. For example, you can choose to move active alerts to this state when you disable or delete rules.
An alert can also be in a "flapping" state when it is switching repeatedly between active and recovered states. This state is possible only if you have enabled alert flapping detection in Stack Management > Rules > Settings. For each space, you can choose a look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping.
Mute alerts
editIf an alert is active or flapping, you can mute it to temporarily suppress future actions. In both Stack Management > Alerts and Rules, you can open the action menu (…) for the appropriate alert and select Mute. To permanently suppress actions for an alert, open the actions menu and select Mark as untracked.
To affect the behavior of the rule rather than individual alerts, check out Snooze and disable rules.