Create rule API
editCreate rule API
editCreate Kibana rules.
Request
editPOST <kibana host>:<port>/api/alerting/rule/<id>
POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>
Prerequisites
editYou must have all privileges for the appropriate Kibana features, depending on
the consumer and rule_type_id of the rules you’re creating. For example, the
Management > Stack Rules feature, Analytics > Discover and Machine Learning
features, Observability, and Security features. If the rule has actions,
you must also have read privileges for the Management >
Actions and Connectors feature. For more details, refer to
Feature privileges.
Description
edit- This API supports only token-based authentication.
- When you create a rule, it identifies which roles you have at that point in time. Thereafter, when the rule performs queries, it uses those security privileges. If a user with different privileges updates the rule, its behavior might change.
Path parameters
edit-
<id> - (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
-
space_id -
(Optional, string) An identifier for the space. If
space_idis not provided in the URL, the default space is used.
Request body
edit-
actions -
(Optional, object array) An array of action objects.
Properties of the action objects:
-
group -
(Required, string) Grouping actions is recommended for escalations for different
types of alerts. If you don’t need this, set this value to
default. -
id - (Required, string) The ID of the connector saved object.
-
params -
(Required, object) The map to the
paramsthat the connector type will receive. ` params` are handled as Mustache templates and passed a default set of context.
-
-
consumer -
(Required, string) The name of the application or feature that owns the rule.
For example:
alerts,apm,discover,infrastructure,logs,metrics,ml,monitoring,securitySolution,siem,stackAlerts, oruptime. -
enabled - (Optional, boolean) Indicates if you want to run the rule on an interval basis after it is created.
-
name - (Required, string) A name to reference and search.
-
notify_when -
(Required, string) The condition for throttling the notification:
onActionGroupChange,onActiveAlert, oronThrottleInterval. -
params -
(Required, object) The parameters to pass to the rule type executor
paramsvalue. This will also validate against the rule type params validator, if defined. -
rule_type_id -
(Required, string) The ID of the rule type that you want to call when the rule
is scheduled to run. For example,
.es-query,.index-threshold,logs.alert.document.count,monitoring_alert_cluster_health,siem.thresholdRule, orxpack.ml.anomaly_detection_alert. For more information, refer to Rule types. -
schedule -
(Required, object) The schedule specifying when this rule should be run, using one of the available schedule formats.
Schedule formats
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the interval format which specifies the interval in seconds, minutes, hours or days at which the rule should run. For example:
{ "interval": "10s" },{ "interval": "5m" },{ "interval": "1h" }, or{ "interval": "1d" }.There are plans to support multiple other schedule formats in the near future.
-
tags - (Optional, string array) A list of keywords to reference and search.
-
throttle -
(Optional, string) How often this rule should fire the same actions. This will
prevent the rule from sending out the same notification over and over. For
example, if a rule with a
scheduleof 1 minute stays in a triggered state for 90 minutes, setting athrottleof10mor1hwill prevent it from sending 90 notifications during this period.
Response codes
edit-
200 - Indicates a successful call.
Examples
editCreate a rule that has actions associated with a server log connector:
POST api/alerting/rule
{
"params":{
"aggType":"avg",
"termSize":6,
"thresholdComparator":">",
"timeWindowSize":5,
"timeWindowUnit":"m",
"groupBy":"top",
"threshold":[
1000
],
"index":[
".test-index"
],
"timeField":"@timestamp",
"aggField":"sheet.version",
"termField":"name.keyword"
},
"consumer":"alerts",
"rule_type_id":".index-threshold",
"schedule":{
"interval":"1m"
},
"actions":[
{
"id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"group":"threshold met",
"params":{
"level":"info",
"message":"alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
}
}
],
"tags":[
"cpu"
],
"notify_when":"onActionGroupChange",
"name":"my alert"
}
The API returns the following:
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"consumer": "alerts",
"tags": ["cpu"],
"name": "my alert",
"enabled": true,
"throttle": null,
"schedule": {"interval": "1m"},
"params": {
"aggType": "avg",
"termSize": 6,
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"groupBy": "top",
"threshold": [1000],
"index": [".test-index"],
"timeField": "@timestamp",
"aggField": "sheet.version",
"termField": "name.keyword"
},
"rule_type_id": ".index-threshold",
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"created_by": "elastic",
"updated_by": "elastic",
"created_at": "2022-06-08T17:20:31.632Z",
"updated_at": "2022-06-08T17:20:31.632Z",
"api_key_owner": "elastic",
"notify_when": "onActionGroupChange",
"mute_all": false,
"muted_alert_ids": [],
"execution_status": {
"last_execution_date": "2022-06-08T17:20:31.632Z",
"status": "pending"
}
"actions": [
{
"group": "threshold met",
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"params": {
"level": "info",
"message": "alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"connector_type_id": ".server-log"
}
]
}