Alerting lets you take action based on changes in your data. It is designed around the principle that, if you can query something in Elasticsearch, you can alert on it. Simply define a query, condition, schedule, the actions to take, and Alerting will do the rest.
Alerting (via Watcher) can be enabled when configuring your cluster, available for clusters with version 1.7.2 or higher. You can run Alerting on a separate cluster from the cluster whose data you are actually watching.
In Elasticsearch 5.x, Watcher was renamed to Alerting and became a part of X-Pack. If you’re using a version of Elasticsearch before 5.0, think Watcher every time you read about Alerting.
Some restrictions apply when adding alerts. To learn more, see Restrictions for alerts (via Watcher).
To enable alerting on a cluster, you also need to:
- Enable automatic index creation on the Configuration page, if it isn’t enabled already
- Enable scripting for most uses of Alerting, as Alerting uses the Elasticsearch script infrastructure
- For Elasticsearch versions before 5.0: Enable authentication
To learn more about Alerting and how to use it, see Watcher - Alerting & Notification (version 5.0 and later) or Elasticsearch Watcher (all versions before 5.0).
Alerting can send alerts by email.
To send alerts by email:
- Sign in to the Elasticsearch Service Console.
- Go to Account and then Profile.
Enter a recipient to be whitelisted under Monitoring email whitelist and click Add.
An email is sent to the email address.
The recipient must acknowledge the request by clicking Whitelist Email in the email.
After the whitelist request is acknowledged, you are able to send alerts to the recipient address by email.
For more information on sending alerts by email, see Email Action.
Under the hood, Alerting is configured via
elasticsearch.yml. If you want to customize your Alerting settings, you can provide custom
elasticsearch.yml snippet which is appended to your configuration.
To provide the custom snippet, you can use the console Elasticsearch settings editor for your deployment.
For example if you want to use the Slack integration: