- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.0
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Accessibility
- Release notes
- Developer guide
Create rule API
editCreate rule API
editCreate Kibana rules.
This API supports Token-based authentication only.
Request
editPOST <kibana host>:<port>/api/alerting/rule/<id>
POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>
Path parameters
edit-
<id>
- (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request body
edit-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
rule_type_id
- (Required, string) The ID of the rule type that you want to call when the rule is scheduled to run.
-
schedule
-
(Required, object) The schedule specifying when this rule should be run, using one of the available schedule formats specified under
Schedule Formats.
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the rule should execute. Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
.There are plans to support multiple other schedule formats in the near future.
-
throttle
-
(Optional, string) How often this rule should fire the same actions. This will prevent the rule from sending out the same notification over and over. For example, if a rule with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notify_when
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
enabled
- (Optional, boolean) Indicates if you want to run the rule on an interval basis after it is created.
-
consumer
- (Required, string) The name of the application that owns the rule. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
-
params
-
(Required, object) The parameters to pass to the rule type executor
params
value. This will also validate against the rule type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alerts. If you don’t need this, set this value to
default
. -
id
- (Required, string) The ID of the connector saved object to execute.
-
params
-
(Required, object) The map to the
params
that the connector type will receive. ` params` are handled as Mustache templates and passed a default set of context.
-
Response code
edit-
200
- Indicates a successful call.
Example
edit$ curl -X POST api/alerting/rule -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d ' { "params":{ "aggType":"avg", "termSize":6, "thresholdComparator":">", "timeWindowSize":5, "timeWindowUnit":"m", "groupBy":"top", "threshold":[ 1000 ], "index":[ ".test-index" ], "timeField":"@timestamp", "aggField":"sheet.version", "termField":"name.keyword" }, "consumer":"alerts", "rule_type_id":".index-threshold", "schedule":{ "interval":"1m" }, "actions":[ { "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2", "group":"threshold met", "params":{ "level":"info", "message":"alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" } } ], "tags":[ "cpu" ], "notify_when":"onActionGroupChange", "name":"my alert" }'
The API returns the following:
{ "id": "41893910-6bca-11eb-9e0d-85d233e3ee35", "notify_when": "onActionGroupChange", "params": { "aggType": "avg", "termSize": 6, "thresholdComparator": ">", "timeWindowSize": 5, "timeWindowUnit": "m", "groupBy": "top", "threshold": [ 1000 ], "index": [ ".kibana" ], "timeField": "@timestamp", "aggField": "sheet.version", "termField": "name.keyword" }, "consumer": "alerts", "rule_type_id": ".index-threshold", "schedule": { "interval": "1m" }, "actions": [ { "connector_type_id": ".server-log", "group": "threshold met", "params": { "level": "info", "message": "alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" }, "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2" } ], "tags": [ "cpu" ], "name": "my alert", "enabled": true, "throttle": null, "api_key_owner": "elastic", "created_by": "elastic", "updated_by": "elastic", "mute_all": false, "muted_alert_ids": [], "updated_at": "2021-02-10T18:03:19.961Z", "created_at": "2021-02-10T18:03:19.961Z", "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35", "execution_status": { "last_execution_date": "2021-02-10T18:03:19.966Z", "status": "pending" } }