View alerts

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

The Alerts page lists all the alerts that have met a condition defined by a rule you created using the Logs, Metrics, Uptime, or APM apps.

After alerts have been triggered, you can monitor their activity to verify they are functioning correctly. In addition, you can filter alerts, update their workflow status, and troubleshoot each alert in their respective app.

You can also add alerts to Cases to open and track potential infrastructure issues.

You can centrally manage rules from the Kibana Management UI that provides a set of built-in rule types and connectors for you to use. Click Manage Rules

Alerts page

Filter alerts

edit

To help you get started with your analysis faster, use the KQL bar to create structured queries using Kibana Query Language. For example, kibana.alert.status: "recovered".

You can also use the time filter to define a specific date and time range. By default, this filter is set to search for the last 15 minutes.

To view alerts that you have already taken action on, select either the Acknowledged or Closed tabs.

View alert details

edit

When you have searched and filtered for a specific alert, you may want to inspect the alert details. From the Alerts table, select View details to view additional information summarising the alert.

You can find the current status of the alert, along with its duration, and when it was last updated. To help you determine what caused the alert, you can view the expected and actual threshold values, and the rule that produced the alert.

To view the alert in the specific app it was initially created from, select Link to app icon.

Take action on alerts

edit

From the Alerts table, you can set the current workflow status of each alert or multiple alerts. By default, the Alerts table displays open alerts.

Under Actions, select Action dropdown menu to change the status to Acknowledged, indicate that the alert is under active investigation or Closed, and show it has now been resolved.

Add alerts to cases

edit

From the Alerts table, you can add one or more alerts to a case. Select Action dropdown menu to add the alert to a new case or add it to an existing case. You can add an unlimited amount of alerts from any rule type.

Add an alert to a new case
edit

To add an alert to a new case:

  1. Select Add to new case.
  2. Enter a case name, add relevant tags, and include a case description.
  3. Under External incident management system, select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is No connector selected.
  4. After you’ve completed all of the required fields, click Create case. A notification message confirms you successfully created the case. To view the case details, click the notification link or go to the Cases page.
Add an alert to an existing case
edit

To add an alert to an existing case:

  1. Select Add to existing case.
  2. From the Select case pane, select the case for which to attach an alert. A confirmation message displays with an option to view the updated case. To view the case details, click the notification link or go to the Cases page.