Geo alerting

edit

Alerting now includes one additional stack alert: Tracking containment.

As with other stack alerts, you need all access to the Stack Alerts feature to be able to create and edit a geo alert. See feature privileges for more information on configuring roles that provide access to this feature.

Geo alerting requirements

edit

To create a Tracking containment alert, the following requirements must be present:

  • Tracks index or index pattern: An index containing a geo_point field, date field, and some form of entity identifier. An entity identifier is a keyword or number field that consistently identifies the entity to be tracked. The data in this index should be dynamically updating so that there are entity movements to alert upon.
  • Boundaries index or index pattern: An index containing geo_shape data, such as boundary data and bounding box data. This data is presumed to be static (not updating). Shape data matching the query is harvested once when the alert is created and anytime after when the alert is re-enabled after disablement.

By design, current interval entity locations (current is determined by date in the Tracked index or index pattern) are queried to determine if they are contained within any monitored boundaries. Entity data should be somewhat "real time", meaning the dates of new documents aren’t older than the current time minus the amount of the interval. If data older than now - <current interval> is ingested, it won’t trigger an alert.

Creating a geo alert

edit

Click the Create button in the alert management UI. Complete the general alert details.

Choosing a tracking alert type

Tracking containment

edit

The Tracking containment alert type runs an Elasticsearch query over indices, determining if any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.

Defining the conditions
edit

Tracking containment alerts have 3 clauses that define the condition to detect, as well as 2 Kuery bars used to provide additional filtering context for each of the indices.

Five clauses define the condition to detect
Index (entity)
This clause requires an index or index pattern, a time field that will be used for the time window, and a geo_point field for tracking.
When entity
This clause specifies which crossing option to track. The values Entered, Exited, and Crossed can be selected to indicate which crossing conditions should trigger an alert. Entered alerts on entry into a boundary, Exited alerts on exit from a boundary, and Crossed alerts on all boundary crossings whether they be entrances or exits.
Index (Boundary)
This clause requires an index or index pattern, a geo_shape field identifying boundaries, and an optional Human-readable boundary name for better alerting messages.

Conditions for how an alert is tracked can be specified uniquely for each individual action. An alert can be triggered either when a containment condition is met or when an entity is no longer contained.

Five clauses define the condition to detect