Query alert indices

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the Alert schema.

Alert index aliases
edit

We recommend querying the .alerts-security.alerts-<space-id> index alias. You should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: .alerts-security.alerts-*.

Alert indices
edit

For additional context, alert events are stored in hidden Elasticsearch indices. We do not recommend querying them directly. The naming convention for these indices and their aliases is .internal.alerts-security.alerts-<space-id>-NNNNNN, where NNNNNN is a number that increases over time, starting from 000001.