Query alert indices
editQuery alert indices
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the Alert schema.
Alert index aliases
editWe recommend querying the .alerts-security.alerts-<space-id>
index alias. You should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: .alerts-security.alerts-*
.
Alert indices
editFor additional context, alert events are stored in hidden Elasticsearch indices. We do not recommend querying them directly. The naming convention for these indices and their aliases is .internal.alerts-security.alerts-<space-id>-NNNNNN
, where NNNNNN
is a number that increases over time, starting from 000001.