kibana/docs/management/watcher-ui/create-threshold-alert.asciidoc

[[watcher-create-threshold-alert]]
=== Create Threshold Alert

You can create a threshold alert to periodically check when your data goes above or below a certain threshold within a given time interval. It's one of the most common type of alerts that you can create using Watcher. For more advanced watches, see the <<watcher-create-advanced-watch>>.

To create a threshold alert:

* Click the *Create threshold alert* button.

==== Inputs & Triggers

You must first configure the inputs and triggers.

. Add a `name` for the alert.
. Choose one or more indices that have a time-based field as the alert input.
. Configure a trigger interval.
+
[role="screenshot"]
image:management/watcher-ui/images/threshold-alert/create-threshold-alert-created.png["Created Threshold Alert",link="management/watcher-ui/images/threshold-alert/create-threshold-alert-created.png"]

==== Condition

Here, you can configure the condition that will cause alert to trigger. The UI is interactive and selecting the various elements within the expression will display a UI to change the values.

[role="screenshot"]
image:management/watcher-ui/images/threshold-alert/threshold-alert-aggType.png["Threshold Alert Agg Type",link="management/watcher-ui/images/threshold-alert/threshold-alert-aggType.png"]

Here are a few examples of common alerts based on x-pack monitoring data:

* High heap usage:
image:management/watcher-ui/images/threshold-alert/high-heap-usage.png["Threshold Alert Example High Heap Usage",link="management/watcher-ui/images/threshold-alert/high-heap-usage.png"]

* System load:
image:management/watcher-ui/images/threshold-alert/system-load.png["Threshold Alert Example System Load",link="management/watcher-ui/images/threshold-alert/system-load.png"]


Here are some specifics of how the visualization works:

* The time window that is used in the visualization is calculated by taking the duration defined in the expression and multiplying it by 5. So, if you select `FOR THE LAST 5 hours`, the visualization will show data from the last 25 hours.

* In the chart, you will see a blue line that represents the aggregated data. There is also a red line that represents the threshold value.

* If you use the `terms` aggregation to aggregate over a specific field, there will be multiple visualizations available and pagination controls will appear as shown below.

** image:management/watcher-ui/images/threshold-alert/threshold-alert-groupBy-pagination.png["Threshold Alert Group By pagination",link="management/watcher-ui/images/threshold-alert/threshold-alert-groupBy-pagination.png"]

==== Actions

Here you can configure the various actions that will occur when the alert fires.

Click `Add new action` to trigger a dropdown selection:

image:management/watcher-ui/images/threshold-alert/threshold-alert-select-action.png["Threshold Alert Select Action",link="management/watcher-ui/images/threshold-alert/threshold-alert-select-action.png"]

Selecting an action will allow you to customize settings for the respective action.

image:management/watcher-ui/images/threshold-alert/threshold-alert-action.png["Threshold Alert Logging Action",link="management/watcher-ui/images/threshold-alert/threshold-alert-action.png"]

All fields for an alert support using http://mustache.github.io/mustache.5.html[mustache syntax] and expose a `{{ctx}}` variable which exposes {stack-ov}/condition-script.html#accessing-watch-payload[various properties of the alert]

The supported actions are:

* {stack-ov}/actions-slack.html[Slack]
* {stack-ov}/actions-logging.html[Logging]
* {stack-ov}/actions-email.html[Email]

Note that certain actions require configuration within {es}, such as 
{stack-ov}/actions-email.html#configuring-email[email] and 
{stack-ov}/actions-slack.html#configuring-slack[slack].

include::create-advanced-watch.asciidoc[]