Skip to content

Commit d9cf120

Browse files
ersin-erdalersin-erdal
committed
Add "How to query alert indices" page
1 parent 33564d0 commit d9cf120

File tree

1 file changed

+189
-0
lines changed

1 file changed

+189
-0
lines changed

explore-analyze/alerts-cases/alerts/query-alerts.md

Lines changed: 189 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,189 @@
1+
---
2+
navigation_title: How to query alert indices
3+
mapped_pages:
4+
- https://www.elastic.co/guide/en/kibana/current/query-alerts.html
5+
applies_to:
6+
stack: ga
7+
serverless: ga
8+
products:
9+
- id: kibana
10+
---
11+
12+
# How to query alert indices [view-alerts]
13+
14+
## Index Names
15+
16+
On **Serverless** alerts are stored in [datastreams](https://www.elastic.co/docs/manage-data/data-store/data-streams), on on-prem and Elastic Cloud Hosted (ECH) they are stored in the indices.
17+
18+
All the alert index names consist of 5 parts:
19+
20+
All of them start with `.internal.alerts-` prefix.
21+
Then the `context`, `dataset`, `space-Id` and `version number` parts follow it.
22+
23+
An index name template:<br>
24+
`.internal.alerts-{{context}}.{{dataset}}-{{space-id}}-{{version-number}}`
25+
26+
<blockquote>
27+
<br>
28+
29+
**context:** Usually the product group that the rule type belongs to. Such as Stack, Observability and Security.
30+
31+
**dataset:** “alert” for the alert indices.
32+
33+
**space-id:** Only the security rules are space-specific. All the other rules write into default for all spaces.
34+
35+
**version-number:** This starts from 000001 and gets increased by 1 as the index is rolled over
36+
<br><br>
37+
38+
</blockquote>
39+
40+
An example alert index name of the Elasticsearch Query rule:<br>
41+
**.internal.alerts-stack.alerts-default-000001**
42+
43+
## Index aliases
44+
45+
All the alert indices have an alias too.
46+
47+
They start with `.alerts` prefix, then `context`, `dataset`, `space-Id` follows it.
48+
49+
Alias template:<br>
50+
`.alerts-{{context}}.{{dataset}}-{{space-id}}`
51+
52+
An example alias for the Elasticsearch Query rule index:<br>
53+
`.alerts-stack.alerts-default`
54+
55+
**Note:** Only the security rules are space-specific, other rule types use the `default` space.
56+
57+
<hr>
58+
59+
You can find the index names and aliases per rule type in the below table.
60+
61+
| Index name / Alias | Rules |
62+
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
63+
| <br> `default` <br><br> **Index name:** <br> `.internal.alerts-default.alerts-default-000001` <br><br> **Alias:**<br>`.alerts-default.alerts-default` <br><br><br><br><br><br><br><br><br><br> | <br> **STACK MONITORING** <br><br> CCR read exceptions, <br> Cluster health, <br>CPU Usage, <br> Disk Usage, <br> Elasticsearch version mismatch, <br> Kibana version mismatch, <br> License expiration, <br> Logstash version mismatch, <br> Memory Usage (JVM), <br> Missing monitoring data, <br> Nodes changed, <br> Shard size, <br> Thread pool search rejections, <br> Thread pool write rejections |
64+
| `stack` <br><br> **Index name:**<br> `.internal.alerts-stack.alerts-default-000001` <br><br> **Alias:**<br> `.alerts-stack.alerts-default` | **STACK ALERTS** <br><br> Elasticsearch query, <br> Index threshold, <br> Degraded docs, <br> Tracking containment, <br> Transform health |
65+
| <br> `Observability.apm` <br><br> **Index name:** <br> `.internal.alerts-observability.apm.alerts-default-000001` <br><br> **Alias:**<br> `.alerts-observability.apm.alerts-default` | <br> **APM AND USER EXPERIENCE** <br><br> APM Anomaly, <br> Error count threshold, <br> Failed transaction rate threshold,<br> Latency threshold <br><br> <br> |
66+
| <br> `ml.anomaly-detection-health` <br><br>**Index name:**<br>`.internal.alerts-ml.anomaly-detection-health.alerts-default-000001`<br><br> **Alias:**<br>`.alerts-ml.anomaly-detection-health.alerts-default` | <br> **MACHINE LEARNING** <br> <br> Anomaly detection jobs health <br><br><br> <br><br> |
67+
| <br> `ml.anomaly-detection` <br><br> **Index name:**<br> `.internal.alerts-ml.anomaly-detection.alerts-default-000001`<br><br>**Alias:**<br>`.alerts-ml.anomaly-detection.alerts-default` | **MACHINE LEARNING** <br><br> Anomaly detection <br><br><br><br><br> |
68+
| <br> `ml.observability.uptime`<br><br> **Index name:**<br> `.internal.alerts-stack.alerts-default-000001`<br><br> **Alias:**<br> `.alerts-stack.alerts-default` | <br> **SYNTHETICS AND UPTIME**<br><br> Synthetics monitor status,<br> Synthetics TLS certificate <br> <br> <br> <br> |
69+
| <br> `ml.observability.metrics`<br><br> **Index name:**<br> `.internal.alerts-ml.observability.metrics.alerts-default-000001` <br><br> **Alias:** <br> `.alerts-ml.observability.metrics.alerts-default` | <br> **INFRASTRUCTURE** <br><br>Metric threshold, <br>Inventory<br><br><br><br><br> |
70+
| <br> `ml.observability.threshold`<br><br> **Index name:**<br> `.internal.alerts-ml.observability.threshold.alerts-default-000001`<br><br> **Alias:**<br> `.alerts-ml.observability.threshold.alerts-default` | <br> **OBSERVABILITY**<br><br> Custom Threshold <br><br><br><br><br> |
71+
| <br> `ml.observability.slo`<br><br> **Index name:**<br> `.internal.alerts-ml.observability.logs.alerts-default-000001`<br><br> **Alias:**<br> `.alerts-ml.observability.logs.alerts-default` | <br> **SLOs**<br><br> SLO burn rate <br><br><br><br><br> |
72+
| <br> `ml.observability.logs`<br><br> **Index name:**<br> `.internal.alerts-ml.observability.slo.alerts-default-000001`<br><br> **Alias:**<br> `.alerts-ml.observability.slo.alerts-default` | <br> **LOGS**<br><br> Log Threshold <br><br><br><br><br> |
73+
| <br> `ml.dataset.quality`<br><br> **Index name:**<br> `.internal.alerts-ml.dataset.quality.alerts-default-000001`<br><br> **Alias:**<br> `.alerts-ml.dataset.quality.alerts-default` | <br> Degraded docs <br><br><br><br><br><br> <br> |
74+
| <br> `ml.streams`<br><br> **Index name:**<br> `.internal.alerts-ml.streams.alerts-default-000001`<br><br>**Alias:**<br>`.alerts-ml.streams.alerts-default` | <br> **STREAMS** <br><br> ES\|QL Rule <br><br><br><br><br> |
75+
| <br> `security.attack.discovery`<br><br> **Index name:**<br> `.internal.alerts-security.attack.discovery.alerts-{{your-space-id}}-000001`<br><br>**Alias:**<br>`.alerts-security.attack.discovery.alerts-{{your-space-id}}` | <br> **SECURITY** <br><br> Attack Discovery Schedule <br><br><br><br><br> |
76+
| <br> `security`<br><br> **Index name:**<br> `.internal.alerts-security.alerts-{{your-space-id}}-000001`<br><br>**Alias:**<br>`.alerts-security.alerts-{{your-space-id}}` | <br> **SECURITY** <br><br> All the other security rules <br><br><br><br><br> |
77+
78+
## Queries
79+
80+
You can simply search for an alert by using `.internal.alerts-*` **index pattern** or the **index alias**.
81+
<br><br>
82+
83+
### To get all the alerts:
84+
85+
The below query returns top 100 alerts you have from all the alert indices you have.
86+
87+
```json
88+
GET /.internal.alerts-*/_search
89+
{
90+
"query": {
91+
"match_all": {}
92+
},
93+
"size":100
94+
}
95+
```
96+
97+
### To get mapping of an alert index:
98+
99+
An example for the Elasticsearch query rule:
100+
101+
With its index name:
102+
103+
```json
104+
GET /.internal.alerts-stack.alerts-default-000001/_mapping
105+
```
106+
107+
Or with its alias:
108+
109+
```
110+
GET /.alerts-stack.alerts-default/_mapping
111+
```
112+
113+
### To get only the active/recovered alerts
114+
115+
Replace the `kibana.alert.status` value with recovered for the recovered alerts
116+
117+
```json
118+
GET /.internal.alerts-*/_search
119+
{
120+
"query": {
121+
"bool": {
122+
"filter": [{ "term": { "kibana.alert.status": "active" } }]
123+
}
124+
},
125+
"size": 100
126+
}
127+
```
128+
129+
### To query the alerts of a specific rule
130+
131+
Replace the `kibana.alert.rule.uuid` value with your rule id
132+
133+
```json
134+
GET /.internal.alerts-*/_search
135+
{
136+
"size": 100,
137+
"query": {
138+
"bool": {
139+
"filter": [
140+
{ "term": { "kibana.alert.rule.uuid": "--your-rule-id--" } }
141+
]
142+
}
143+
}
144+
}
145+
```
146+
147+
### To query the alerts that are generated within a specific time window
148+
149+
Replace the `kibana.alert.status` value with recovered for the recovered alerts
150+
151+
```json
152+
GET /.internal.alerts-*/_search
153+
{
154+
"query": {
155+
"bool": {
156+
"filter": [
157+
{ "term": { "kibana.alert.status": "recovered"}},
158+
{
159+
"range": {
160+
"@timestamp": {
161+
"gte": "now-60m",
162+
"lte": "now"
163+
}
164+
}
165+
}
166+
]
167+
}
168+
},
169+
"size": 100
170+
}
171+
```
172+
173+
### To query the alerts of a specific rule type
174+
175+
Replace the `kibana.alert.rule.category` value with your rule type name
176+
177+
```json
178+
GET /.internal.alerts-*/_search
179+
{
180+
"query": {
181+
"bool": {
182+
"filter": [
183+
{ "term": { "kibana.alert.rule.category": "Elasticsearch query"}}
184+
]
185+
}
186+
},
187+
"size": 100
188+
}
189+
```

0 commit comments

Comments
 (0)