IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

Create alert API

edit

Create alert API

edit

Create Kibana alerts.

Request

edit

POST <kibana host>:<port>/api/alerts/alert

Path parameters

edit

<id>: (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.

Request body

edit

name

(Required, string) A name to reference and search.

tags

(Optional, string array) A list of keywords to reference and search.

alertTypeId

(Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.

schedule

(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under

Schedule Formats.

A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.

We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the alert should execute. Example: { interval: "10s" }, { interval: "5m" }, { interval: "1h" }, { interval: "1d" }.

There are plans to support multiple other schedule formats in the near future.

throttle

(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

notifyWhen

(Required, string) The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval.

enabled

(Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.

consumer

(Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.

params

(Required, object) The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.

actions

(Optional, object array) An array of the following action objects.

Properties of the action objects:

group: (Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set this value to default.
id: (Required, string) The ID of the action saved object to execute.
actionTypeId: (Required, string) The ID of the action type.
params: (Required, object) The map to the params that the action type will receive. ` params` are handled as Mustache templates and passed a default set of context.

Response code

edit

200: Indicates a successful call.

Example

edit

$ curl -X POST api/alerts/alert  -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
  "params":{
      "aggType":"avg",
      "termSize":6,
      "thresholdComparator":">",
      "timeWindowSize":5,
      "timeWindowUnit":"m",
      "groupBy":"top",
      "threshold":[
         1000
      ],
      "index":[
         ".test-index"
      ],
      "timeField":"@timestamp",
      "aggField":"sheet.version",
      "termField":"name.keyword"
   },
   "consumer":"alerts",
   "alertTypeId":".index-threshold",
   "schedule":{
      "interval":"1m"
   },
   "actions":[
      {
         "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
         "actionTypeId":".server-log",
         "group":"threshold met",
         "params":{
            "level":"info",
            "message":"alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
         }
      }
   ],
   "tags":[
      "cpu"
   ],
   "notifyWhen":"onActionGroupChange",
   "name":"my alert"
}'

The API returns the following:

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "avg",
    "termSize": 6,
    "thresholdComparator": ">",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "groupBy": "top",
    "threshold": [
      1000
    ],
    "index": [
      ".kibana"
    ],
    "timeField": "@timestamp",
    "aggField": "sheet.version",
    "termField": "name.keyword"
  },
  "consumer": "alerts",
  "alertTypeId": ".index-threshold",
  "schedule": {
    "interval": "1m"
  },
  "actions": [
    {
      "actionTypeId": ".server-log",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2"
    }
  ],
  "tags": [
    "cpu"
  ],
  "name": "my alert",
  "enabled": true,
  "throttle": null,
  "apiKeyOwner": "elastic",
  "createdBy": "elastic",
  "updatedBy": "elastic",
  "muteAll": false,
  "mutedInstanceIds": [],
  "updatedAt": "2021-02-10T18:03:19.961Z",
  "createdAt": "2021-02-10T18:03:19.961Z",
  "scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "executionStatus": {
    "lastExecutionDate": "2021-02-10T18:03:19.966Z",
    "status": "pending"
  }
}

« Alerts APIs Update alert API »