Create Threshold Alertedit

You can create a threshold alert to periodically check when your data goes above or below a certain threshold within a given time interval. It’s one of the most common type of alerts that you can create using Watcher. For more advanced watches, see the Create Advanced Watch.

To create a threshold alert:

  • Click the Create threshold alert button.

Inputs & Triggersedit

You must first configure the inputs and triggers.

  1. Add a name for the alert.
  2. Choose one or more indices that have a time-based field as the alert input.
  3. Configure a trigger interval.

    Created Threshold Alert

Conditionedit

Here, you can configure the condition that will cause alert to trigger. The UI is interactive and selecting the various elements within the expression will display a UI to change the values.

Threshold Alert Agg Type

Here are a few examples of common alerts based on x-pack monitoring data:

  • High heap usage: Threshold Alert Example High Heap Usage
  • System load: Threshold Alert Example System Load

Here are some specifics of how the visualization works:

  • The time window that is used in the visualization is calculated by taking the duration defined in the expression and multiplying it by 5. So, if you select FOR THE LAST 5 hours, the visualization will show data from the last 25 hours.
  • In the chart, you will see a blue line that represents the aggregated data. There is also a red line that represents the threshold value.
  • If you use the terms aggregation to aggregate over a specific field, there will be multiple visualizations available and pagination controls will appear as shown below.

    • Threshold Alert Group By pagination

Actionsedit

Here you can configure the various actions that will occur when the alert fires.

Click Add new action to trigger a dropdown selection:

Threshold Alert Select Action

Selecting an action will allow you to customize settings for the respective action.

Threshold Alert Logging Action

All fields for an alert support using mustache syntax and expose a {{ctx}} variable which exposes various properties of the alert

The supported actions are:

Note that certain actions require configuration within Elasticsearch, such as email and slack.