Create and manage rules
editCreate and manage rules
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Required role
The Editor role or higher is required to create and manage rules for alerting. To learn more, refer to Assign user roles and privileges.
Alerting enables you to define rules, which detect complex conditions within different apps and trigger actions when those conditions are met. Alerting provides a set of built-in connectors and rules for you to use.
Observability rules
editLearn more about Observability rules and how to create them:
| Rule type | Name | Detects when… |
|---|---|---|
AIOps |
Anomalies match specific conditions. |
|
APM |
The latency, throughput, or failed transaction rate of a service is abnormal. |
|
Observability |
An Observability data type reaches or exceeds a given value. |
|
Stack |
Matches are found during the latest query run. |
|
APM |
The number of errors in a service exceeds a defined threshold. |
|
APM |
The rate of transaction errors in a service exceeds a defined threshold. |
|
Metrics |
The infrastructure inventory exceeds a defined threshold. |
|
APM |
The latency of a specific transaction type in a service exceeds a defined threshold. |
|
SLO |
The burn rate is above a defined threshold. |
Creating rules and alerts
editYou start by defining the rule and how often it should be evaluated. You can extend these rules by adding an appropriate action (for example, send an email or create an issue) to be triggered when the rule conditions are met. These actions are defined within each rule and implemented by the appropriate connector for that action e.g. Slack, Jira. You can create any rules from scratch using the Manage Rules page, or you can create specific rule types from their respective UIs and benefit from some of the details being pre-filled (for example, Name and Tags).
- For APM alert types, you can select Alerts and rules and create rules directly from the Services, Traces, and Dependencies UIs.
-
For SLO alert types, from the SLOs page open the More actions menu
for an SLO and select Create new alert rule. Alternatively, when you create a new SLO, the Create new SLO burn rate alert rule checkbox is enabled by default and will prompt you to Create SLO burn rate rule upon saving the SLO.
After a rule is created, you can open the More actions menu and select Edit rule to check or change the definition, and/or add or modify actions.
From the action menu you can also:
- Disable or delete rule
- Clone rule
- Snooze rule notifications
- Run rule (without waiting for next scheduled check)
- Update API keys
View rule details
editClick on an individual rule on the Rules page to view details including the rule name, status, definition, execution history, related alerts, and more.
A rule can have one of the following responses:
-
failed - The rule ran with errors.
-
succeeded - The rule ran without errors.
-
warning - The rule ran with some non-critical errors.
Snooze and disable rules
editThe rule listing enables you to quickly snooze, disable, enable, or delete individual rules.
When you snooze a rule, the rule checks continue to run on a schedule but the alert will not trigger any actions. You can snooze for a specified period of time, indefinitely, or schedule single or recurring downtimes.
When a rule is in a snoozed state, you can cancel or change the duration of this state.
[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. To temporarily suppress notifications for all rules, create a maintenance window.
Import and export rules
editTo import and export rules, use Saved Objects.
Rules are disabled on export. You are prompted to re-enable the rule on successful import.