|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: ga 9.3 |
| 4 | + serverless: ga |
| 5 | +products: |
| 6 | + - id: fleet |
| 7 | + - id: elastic-agent |
| 8 | +navigation_title: Alerting rule templates |
| 9 | +--- |
| 10 | + |
| 11 | +# Alerting Rule Templates [alerting-rule-templates] |
| 12 | + |
| 13 | +Alerting rule templates are out-of-the-box, preconfigured rule definitions maintained by Elastic integration authors. They help you start monitoring in minutes—no queries to write, no thresholds to figure out—by providing curated {{esql}} queries, sensible defaults, and recommended thresholds tailored to each integration. Templates are available from an integration’s Assets and open a prefilled rule creation form you can adjust and enable. |
| 14 | + |
| 15 | +## Prerequisites |
| 16 | + |
| 17 | +- Install or upgrade to the latest version of the integration that includes alerting rule templates. |
| 18 | +- Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. |
| 19 | +- {{stack}} 9.3 or later. |
| 20 | +- Appropriate {{kib}} role privileges to create and manage rules in the current space. |
| 21 | +- Optional: One or more connectors (for example, email, Slack, webhook) to route alert notifications. |
| 22 | + |
| 23 | +## How to use the Alerting Rule Templates |
| 24 | + |
| 25 | +Alerting rule templates come with recommended, pre-populated values. To use them: |
| 26 | + |
| 27 | +1. In {{kib}}, go to **{{manage-app}}** > **{{integrations}}**. |
| 28 | +1. Find and open the integration. |
| 29 | +1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. |
| 30 | +1. Select a template to open a prefilled Create rule form. |
| 31 | +1. Review and (optionally) customize the prefilled settings, then save and enable the rule. |
| 32 | + |
| 33 | +When you click a template, you get a prefilled rule creation form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. |
| 34 | + |
| 35 | +The preconfigured defaults typically include: |
| 36 | + |
| 37 | +- **{{esql}} query** |
| 38 | +: A curated, text-based query that evaluates your data and triggers when matches are found during the latest run. |
| 39 | +- **Recommended threshold** |
| 40 | +: A suggested threshold embedded in the {{esql}} `WHERE` clause. You can tune the threshold to fit your environment. |
| 41 | +- **Time window (look-back)** |
| 42 | +: The length of time the rule analyzes for data (for example, the last 5 minutes). |
| 43 | +- **Rule schedule** |
| 44 | +: How frequently the rule checks alert conditions (for example, every minute). |
| 45 | +- **Alert delay (alert suppression)** |
| 46 | +: The number of consecutive runs for which conditions must be met before an alert is created. |
| 47 | + |
| 48 | +For details about fields in the Create rule form and how the rule evaluates data, see the {{es}} query rule type (/explore-analyze/alerts-cases/alerts/rule-type-es-query.md). |
| 49 | + |
| 50 | + |
0 commit comments