Create alert API
editCreate alert API
editCreate Kibana alerts.
Request
editPOST <kibana host>:<port>/api/alerts/alert/<id>
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parameters
edit-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
As part of the Sharing Saved Objects effort, IDs for rules in a custom space will be regenerated in 8.0.0. Rules created prior to 8.0.0 using this API that specify both the id
and space_id
path parameters will be re-assigned a randomly generated ID upon upgrading to 8.0.0.
-
id
- (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
Request body
edit-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
alertTypeId
- (Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.
-
schedule
-
(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under
Schedule Formats.
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the alert should execute. Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
.There are plans to support multiple other schedule formats in the near future.
-
throttle
-
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notifyWhen
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
enabled
- (Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.
-
consumer
- (Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
-
params
-
(Required, object) The parameters to pass to the alert type executor
params
value. This will also validate against the alert type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set this value to
default
. -
id
- (Required, string) The ID of the action saved object to execute.
-
actionTypeId
- (Required, string) The ID of the action type.
-
params
-
(Required, object) The map to the
params
that the action type will receive. ` params` are handled as Mustache templates and passed a default set of context.
-
Response code
edit-
200
- Indicates a successful call.
Example
edit$ curl -X POST api/alerts/alert -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d ' { "params":{ "aggType":"avg", "termSize":6, "thresholdComparator":">", "timeWindowSize":5, "timeWindowUnit":"m", "groupBy":"top", "threshold":[ 1000 ], "index":[ ".test-index" ], "timeField":"@timestamp", "aggField":"sheet.version", "termField":"name.keyword" }, "consumer":"alerts", "alertTypeId":".index-threshold", "schedule":{ "interval":"1m" }, "actions":[ { "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2", "actionTypeId":".server-log", "group":"threshold met", "params":{ "level":"info", "message":"alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" } } ], "tags":[ "cpu" ], "notifyWhen":"onActionGroupChange", "name":"my alert" }'
The API returns the following:
{ "id": "41893910-6bca-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", "termSize": 6, "thresholdComparator": ">", "timeWindowSize": 5, "timeWindowUnit": "m", "groupBy": "top", "threshold": [ 1000 ], "index": [ ".kibana" ], "timeField": "@timestamp", "aggField": "sheet.version", "termField": "name.keyword" }, "consumer": "alerts", "alertTypeId": ".index-threshold", "schedule": { "interval": "1m" }, "actions": [ { "actionTypeId": ".server-log", "group": "threshold met", "params": { "level": "info", "message": "alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}" }, "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2" } ], "tags": [ "cpu" ], "name": "my alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T18:03:19.961Z", "createdAt": "2021-02-10T18:03:19.961Z", "scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T18:03:19.966Z", "status": "pending" } }