- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
View alerts
editView alerts
editRequired role
The Editor role or higher is required to perform this task. To learn more, refer to Assign user roles and privileges.
You can track and manage alerts for your applications and SLOs from the Alerts page. You can filter this view by alert status or time period, or search for specific alerts using KQL. Manage your alerts by adding them to cases or viewing them within the respective UIs.
Filter alerts
editTo help you get started with your analysis faster, use the KQL bar to create structured queries using Kibana Query Language.
You can use the time filter to define a specific date and time range. By default, this filter is set to search for the last 15 minutes.
You can also filter by alert status using the buttons below the KQL bar. By default, this filter is set to Show all alerts, but you can filter to show only active, recovered or untracked alerts.
View alert details
editThere are a few ways to inspect the details for a specific alert.
From the Alerts table, you can click on a specific alert to open the alert detail flyout to view a summary of the alert without leaving the page. There you’ll see the current status of the alert, its duration, and when it was last updated. To help you determine what caused the alert, you can view the expected and actual threshold values, and the rule that produced the alert.
There are three common alert statuses:
-
active - The conditions for the rule are met and actions should be generated according to the notification settings.
-
flapping - The alert is switching repeatedly between active and recovered states.
-
recovered - The conditions for the rule are no longer met and recovery actions should be generated.
-
untracked -
The corresponding rule is disabled or you’ve marked the alert as untracked. To mark the alert as untracked, go to the Alerts table, click the
icon to expand the More actions menu, and click Mark as untracked.
When an alert is marked as untracked, actions are no longer generated.
You can choose to move active alerts to this state when you disable or delete rules.
Flapping alerts
The flapping state is possible only if you have enabled alert flapping detection. Go to the Alerts page and click Manage Rules to navigate to the Elastic Observability Serverless Rules page. Click Settings then set the look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping.
To further inspect the rule:
- From the alert detail flyout, click View rule details.
-
From the Alerts table, click the icon and select View rule details.
To view the alert in the app that triggered it:
- From the alert detail flyout, click View in app.
-
From the Alerts table, click the
icon.
Customize the alerts table
editUse the toolbar buttons in the upper-left of the alerts table to customize the columns you want displayed:
- Columns: Reorder the columns.
- x fields sorted: Sort the table by one or more columns.
- Fields: Select the fields to display in the table.
For example, click Fields and choose the Maintenance Windows field.
If an alert was affected by a maintenance window, its identifier appears in the new column.
For more information about their impact on alert notifications, refer to Maintenance windows.
You can also use the toolbar buttons in the upper-right to customize the display options or view the table in full-screen mode.
Add alerts to cases
editFrom the Alerts table, you can add one or more alerts to a case.
Click the icon to add the alert to a new or existing case.
You can add an unlimited amount of alerts from any rule type.
Each case can have a maximum of 1,000 alerts.
Add an alert to a new case
editTo add an alert to a new case:
- Select Add to new case.
- Enter a case name, add relevant tags, and include a case description.
-
Under External incident management system, select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is
No connector selected. - After you’ve completed all of the required fields, click Create case. A notification message confirms you successfully created the case. To view the case details, click the notification link or go to the Cases page.
Add an alert to an existing case
editTo add an alert to an existing case:
- Select Add to existing case.
- Select the case where you will attach the alert. A confirmation message displays.
On this page