maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/user/alerting/defining-alerts.asciidoc
Yuliia Naumenko 6dd5ba0e67
Updated alerting docs screenshots where necessary (#65354) 
* Updated alerting docs screenshots where necessary

* Changed screenshots for management section

* fixed alt issue
2020-05-06 11:33:55 -07:00

80 lines
4.6 KiB
Text
Raw Blame History

[role="xpack"]
[[defining-alerts]]
== Defining alerts
{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, <<xpack-uptime,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
[float]
=== Alert flyout
When an alert is created in an app, the app will display a flyout panel with three main sections to configure:
. <<defining-alerts-general-details, General alert details>>
. <<defining-alerts-type-conditions, Alert type and conditions>>
. <<defining-alerts-actions-details, Action type and action details>>
image::images/alert-flyout-sections.png[The three sections of an alert definition]
[float]
[[defining-alerts-general-details]]
=== General alert details
All alert share the following four properties in common:
[role="screenshot"]
image::images/alert-flyout-general-details.png[alt='All alerts have name, tags, check every, and notify every properties in common']
Name:: The name of the alert. While this name does not have to be unique, the name can be referenced in actions and also appears in the searchable alert listing in the management UI. A distinctive name can help identify and find an alert.
Tags:: A list of tag names that can be applied to an alert. Tags can help you organize and find alerts, because tags appear in the alert listing in the management UI which is searchable by tag.
Check every:: This value determines how frequently the alert conditions below are checked. Note that the timing of background alert checks are not guaranteed, particularly for intervals of less than 10 seconds. See <<alerting-scale-performance>> for more information.
Notify every:: This value limits how often actions are repeated when an alert instance remains active across alert checks. See <<alerting-concepts-suppressing-duplicate-notifications>> for more information.
[float]
[[defining-alerts-type-conditions]]
=== Alert type and conditions
Depending upon the {kib} app and context, you may be prompted to choose the type of alert you wish to create. Some apps will pre-select the type of alert for you.
[role="screenshot"]
image::images/alert-flyout-alert-type-selection.png[Choosing the type of alert to create]
Each alert type provides its own way of defining the conditions to detect, but an expression formed by a series of clauses is a common pattern. Each clause has a UI control that allows you to define the clause. For example, in an index threshold alert the `WHEN` clause allows you to select an aggregation operation to apply to a numeric field.
[role="screenshot"]
image::images/alert-flyout-alert-conditions.png[UI for defining alert conditions on an index threshold alert]
[float]
[[defining-alerts-actions-details]]
=== Action type and action details
To add an action to an alert, you first select the type of action:
[role="screenshot"]
image::images/alert-flyout-action-type-selection.png[UI for selecting an action type]
Each action must specify a <<alerting-concepts-connectors, connector>> instance. If no connectors exist for that action type, click "Add new" to create one.
Each action type exposes different properties. For example an email action allows you to set the recipients, the subject, and a message body in markdown format. See <<action-types>> for details on the types of actions provided by {kib} and their properties.
[role="screenshot"]
image::images/alert-flyout-action-details.png[UI for defining an email action]
Using the https://mustache.github.io/[Mustache] template syntax `{{variable name}}`, you can pass alert values at the time a condition is detected to an action. Available variables differ by alert type, and a list can be accessed using the "add variable" button.
[role="screenshot"]
image::images/alert-flyout-action-variables.png[Passing alert values to an action]
You can attach more than one action. Clicking the "Add action" button will prompt you to select another alert type and repeat the above steps again.
[role="screenshot"]
image::images/alert-flyout-add-action.png[You can add multiple actions on an alert]
[NOTE]
==============================================
Actions are not required on alerts. In some cases you may want to run an alert without actions first to understand its behavior, and configure actions later.
==============================================
[float]
=== Managing alerts
To modify an alert after it was created, including muting or disabling it, use the <<alert-management, alert listing in the Management UI>>.
Reference in a new issue View git blame Copy permalink