The index threshold alert type runs an Elasticsearch query. It aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
Create the alertedit
Fill in the alert details, then select Index Threshold.
Define the conditionsedit
Define properties to detect the condition.
- This clause requires an index or index pattern and a time field that will be used for the time window.
This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the time window. The aggregation options are:
max. When using
countthe document count is used, and an aggregation field is not necessary.
- Over/Grouped Over
- This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an alert instance will be created for each group when it exceeds the threshold. To limit the number of instances on high cardinality fields, you must specify the number of groups to check against the threshold. Only the top groups are checked.
This clause defines a threshold value and a comparison operator (one of
is above or equals,
is below or equals, or
is between). The result of the aggregation is compared to this threshold.
- Time window
- This clause determines how far back to search for documents, using the time field set in the index clause. Generally this value should be to a value higher than the check every value in the general alert details, to avoid gaps in detection.
If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses.
Add action variablesedit
A preconstructed title for the alert. Example:
alert kibana sites - high egress met threshold.
A preconstructed message for the alert. Example:
alert 'kibana sites - high egress' is active for group 'threshold met':
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
The name of the action group associated with the threshold condition. Example:
The date, in ISO format, that the alert met the threshold condition. Example:
- The value for the alert that met the threshold condition.
A description of the threshold condition. Example:
count greater than 4
In this example, you will use the Kibana sample weblog dataset to set up and tune the conditions on an index threshold alert. For this example, you want to detect when any of the top four sites serve more than 420,000 bytes over a 24 hour period.
- Open the main menu, then click Stack Management > Alerts and Actions.
Create a new alert that is checked every four hours and executes actions when the alert status changes.
- Select the Index threshold alert type.
Click Index, and set Indices to query to kibana_sample_data_logs.
Set the Time field to @timestamp.
To detect the number of bytes served during the time window, click When and select
sumas the aggregation, and bytes as the field to aggregate.
To detect the four sites that have the most traffic, click Over and select
4, and select
host.keywordas the field.
To alert when any of the top four sites exceeds 420,000 bytes over a 24 hour period, select
is aboveand enter
Finally, click For the last, enter
hoursto complete the alert configuration.
The preview chart will render showing the 24 hour sum of bytes at 4 hours intervals (the check every interval) for the past 120 hours (the last 30 intervals).
Change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert.