Enable Alerting (via Watcher)

Alerting lets you take action based on changes in your data. It is designed around the principle that, if you can query something in Elasticsearch, you can alert on it. Simply define a query, condition, schedule, and the actions to take, and Alerting will do the rest.


In Elasticsearch 5.x, Watcher was renamed to Alerting and became a part of X-Pack. If you’re using a version of Elasticsearch before 5.0, think Watcher every time you read about Alerting.

To learn more about Alerting and how to use it, see Watcher - Alerting & Notification (version 5.0 and later) or Elasticsearch Watcher (all versions before 5.0).

You can run Alerting on a separate cluster from the cluster whose data you are actually watching.

To enable alerting on a cluster, you also need to:

  • Enable automatic index creation on the Configuration page, if it isn’t enabled already
  • Enable scripting for most uses of Alerting, as Alerting uses the Elasticsearch script infrastructure
  • For Elasticsearch versions before 5.0: Enable authentication

Send Alerts by Email

Alerting can send alerts by email.

To send alerts by email:

  1. Go to the Elastic Cloud email settings.
  2. Enter a recipient to be whitelisted under Watcher Whitelist and click Request Whitelisting.

    An email is sent to the email address.

  3. The recipient must acknowledge the request by clicking Whitelist Email in the email.

    After the whitelist request is acknowledged, you are able to send alerts to the recipient address by email.

For GCP, we don’t support sending alerts by email, yet.

For more information on sending alerts by email, see Actions.


Some restrictions exist:

  • Changing the default throttle period is not possible. You can specify a throttle period per watch, however.
  • You cannot use your own SMTP server. All emails are sent through our servers, and the recipient must be whitelisted.

Advanced Usage

Slack, HipChat, and PagerDuty Integration

Under the hood, Alerting is configured via elasticsearch.yml. If you want to customize your Alerting settings, you can provide custom elasticsearch.yml snippet which is appended to your configuration.

To provide the custom snippet you can use the console User Settings section under the cluster configuration.

For example if you want to use the Slack integration:

Advanced Alerting configuration