You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: explore-analyze/alerts-cases/watcher.md
+35-7Lines changed: 35 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,15 +9,43 @@ mapped_urls:
9
9
10
10
# Watcher
11
11
12
-
% What needs to be done: Lift-and-shift
12
+
::::{tip}
13
+
{{kib}} Alerting provides a set of built-in actions and alerts that are integrated with applications such as APM, Metrics, Security, and Uptime. You can use {{kib}} Alerting to detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. For more information, see [Alerting and actions](../alerts-cases.md).
14
+
::::
13
15
14
-
% Use migrated content from existing pages that map to this page:
16
+
You can use Watcher to watch for changes or anomalies in your data and perform the necessary actions in response. For example, you might want to:
* Monitor social media as another way to detect failures in user-facing automated systems like ATMs or ticketing systems. When the number of tweets and posts in an area exceeds a threshold of significance, notify a service technician.
19
+
* Monitor your infrastructure, tracking disk usage over time. Open a helpdesk ticket when any servers are likely to run out of free space in the next few days.
20
+
* Track network activity to detect malicious activity, and proactively change firewall configuration to reject the malicious user.
21
+
* Monitor Elasticsearch, and send immediate notification to the system administrator if nodes leave the cluster or query throughput exceeds an expected range.
22
+
* Track application response times and if page-load time exceeds SLAs for more than 5 minutes, open a helpdesk ticket. If SLAs are exceeded for an hour, page the administrator on duty.
23
+
24
+
All of these use-cases share a few key properties:
25
+
26
+
* The relevant data or changes in data can be identified with a periodic Elasticsearch query.
27
+
* The results of the query can be checked against a condition.
28
+
* One or more actions are taken if the condition is true — an email is sent, a 3rd party system is notified, or the query results are stored.
29
+
30
+
## How watches work [_how_watches_work]
31
+
32
+
The {{alert-features}} provide an API for creating, managing and testing *watches*. A watch describes a single alert and can contain multiple notification actions.
33
+
34
+
A watch is constructed from four simple building blocks:
35
+
36
+
Schedule
37
+
: A schedule for running a query and checking the condition.
38
+
39
+
Query
40
+
: The query to run as input to the condition. Watches support the full Elasticsearch query language, including aggregations.
41
+
42
+
Condition
43
+
: A condition that determines whether or not to execute the actions. You can use simple conditions (always true), or use scripting for more sophisticated scenarios.
44
+
45
+
Actions
46
+
: One or more actions, such as sending email, pushing data to 3rd party systems through a webhook, or indexing the results of the query.
47
+
48
+
A full history of all watches is maintained in an Elasticsearch index. This history keeps track of each time a watch is triggered and records the results from the query, whether the condition was met, and what actions were taken.
21
49
22
50
% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
Copy file name to clipboardExpand all lines: explore-analyze/alerts-cases/watcher/enable-watcher.md
+7-16Lines changed: 7 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,16 +1,14 @@
1
-
# Enable Watcher [ec-watcher]
1
+
# Enable Watcher [enable-watcher]
2
2
3
3
::::{note}
4
4
If you are looking for Kibana alerting, check [Alerting and Actions](../../../explore-analyze/alerts-cases.md) in the Kibana Guide.
5
5
::::
6
6
7
-
8
7
Watcher lets you take action based on changes in your data. It is designed around the principle that, if you can query something in Elasticsearch, you can alert on it. Simply define a query, condition, schedule, the actions to take, and Watcher will do the rest.
9
8
10
9
Watcher can be enabled when configuring your cluster. You can run Alerting on a separate cluster from the cluster whose data you are actually watching.
11
10
12
-
13
-
## Before you begin [ec_before_you_begin_8]
11
+
## Before you begin [watcher-before-you-begin]
14
12
15
13
Some restrictions apply when adding alerts. To learn more, check [Restrictions for alerts (via Watcher)](../../../deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md#ec-restrictions-watcher).
16
14
@@ -20,8 +18,7 @@ To enable Watcher on a cluster, you may first need to perform one or several of
20
18
21
19
To learn more about Kibana alerting and how to use it, check [Alerting and Actions](../../../explore-analyze/alerts-cases.md).
22
20
23
-
24
-
## Send alerts by email [ec-watcher-allowlist]
21
+
## Send alerts by email [watcher-allowlist]
25
22
26
23
Alerting can send alerts by email. You can configure notifications similar to the [operational emails](../../../deploy-manage/cloud-organization/operational-emails.md) that Elasticsearch Service sends automatically to alert you about performance issues in your clusters.
27
24
@@ -31,8 +28,7 @@ You can optionally add [HTML sanitization](../../../explore-analyze/alerts-cases
31
28
32
29
For more information on sending alerts by email, check [Email action](../../../explore-analyze/alerts-cases/watcher/actions-email.md).
33
30
34
-
35
-
## Cloud email service limits [ec-cloud-email-service-limits]
31
+
## Cloud email service limits [cloud-email-service-limits]
36
32
37
33
The following quotas apply when using the Elastic email service:
38
34
@@ -41,11 +37,9 @@ The following quotas apply when using the Elastic email service:
41
37
* Maximum message size (including attachments): 10 MB per message (after base64 encoding).
42
38
* The email-sender can’t be customized (Any custom `From:` header will be removed)
43
39
40
+
## Advanced usage [advanced_usage]
44
41
45
-
## Advanced usage [ec_advanced_usage]
46
-
47
-
48
-
### Slack and PagerDuty integration [ec-advanced-usage]
42
+
### Slack and PagerDuty integration [advanced-usage]
49
43
50
44
Under the hood, Alerting is configured through `elasticsearch.yml`. If you want to customize your Alerting settings, you can provide custom `elasticsearch.yml` snippet which is appended to your configuration.
The Slack Webhook is set for each account in the Elasticsearch Keystore with the following settings:
@@ -135,8 +128,7 @@ PUT _watcher/watch/test-alarm
135
128
:alt: Advanced Alerting configuration
136
129
:::
137
130
138
-
139
-
## Configuring a custom mail server [ec-watcher-custom-mail-server]
131
+
## Configuring a custom mail server [watcher-custom-mail-server]
140
132
141
133
It is possible to use a custom mail service instead of the one configured by default. It can be configured by following the [Elasticsearch documentation for configuring email accounts](https://www.elastic.co/guide/en/elasticsearch/reference/current/actions-email.html).
142
134
@@ -169,4 +161,3 @@ An example on how to configure a new account from the Elastic cloud console:
169
161
6. The new email account is now set up. It will now be used by default for watcher email actions.
170
162
171
163
For a full reference of all available settings, see the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/notification-settings.html#email-notification-settings).
Copy file name to clipboardExpand all lines: explore-analyze/alerts-cases/watcher/watcher-ui.md
+1-22Lines changed: 1 addition & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
# Watcher [watcher-ui]
1
+
# Watcher UI [watcher-ui]
2
2
3
3
Watcher is an {{es}} feature that you can use to create actions based on conditions, which are periodically evaluated using queries on your data. Watches are helpful for analyzing mission-critical and business-critical streaming data. For example, you might watch application logs for performance outages or audit access logs for security threats.
4
4
@@ -17,8 +17,6 @@ Go to the **Watcher** page using the navigation menu or the [global search field
17
17
There are limitations in **Watcher** that affect {{kib}}. For information, refer to [Alerting](../../../explore-analyze/alerts-cases/watcher/watcher-limitations.md).
18
18
::::
19
19
20
-
21
-
22
20
## Watcher security [watcher-security]
23
21
24
22
To use Watcher in {{kib}}, you must have the built-in `kibana_admin` role and either of these Watcher roles:
@@ -32,15 +30,12 @@ To manage roles, go to the **Roles** management page, or use the [role APIs](htt
32
30
If you are creating a threshold watch, you must also have the `view_index_metadata` index privilege. See [Index management](../../../manage-data/lifecycle/index-lifecycle-management/index-management-in-kibana.md) for detailed information.
33
31
::::
34
32
35
-
36
-
37
33
## Create a threshold alert [watcher-create-threshold-alert]
38
34
39
35
A threshold alert is one of the most common types of watches that you can create. This alert periodically checks when your data is above, below, equals, or is in between a certain threshold within a given time interval.
40
36
41
37
The following example walks you through creating a threshold alert. The alert is triggered when the maximum total CPU usage on a machine goes above a certain percentage. The example uses [Metricbeat](https://www.elastic.co/products/beats/metricbeat) to collect metrics from your systems and services. [Learn more](https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-installation-configuration.html) on how to install and get started with Metricbeat.
42
38
43
-
44
39
### Define the watch input and schedule [_define_the_watch_input_and_schedule]
45
40
46
41
1. Click **Create** and then select **Create threshold alert**.
@@ -53,8 +48,6 @@ The following example walks you through creating a threshold alert. The alert is
53
48
54
49
![Input and schedule for threshold alert](../../../images/kibana-create-threshold-alert-created.png"")
55
50
56
-
57
-
58
51
### Add a condition [_add_a_condition]
59
52
60
53
You should now see a panel with default conditions and a visualization of the data based on those conditions. The condition evaluates the data you’ve loaded into the watch and determines if any action is required.
@@ -70,8 +63,6 @@ You should now see a panel with default conditions and a visualization of the da
70
63
71
64
![Condition for threshold alert](../../../images/kibana-threshold-alert-condition.png"")
72
65
73
-
74
-
75
66
### Add an action [_add_an_action]
76
67
77
68
Now that the condition is set, you must add an action. The action triggers when the watch condition is met. For a complete list of actions and how to configure them, see [Adding conditions to actions](../../../explore-analyze/alerts-cases/watcher/action-conditions.md).
@@ -89,18 +80,14 @@ In this example, you’ll configure an email action. You must have an [email acc
89
80
90
81
The alert appears on the Watcher overview page, where you can drill down into the watch history and status.
91
82
92
-
93
-
94
83
### Delete the alert [_delete_the_alert]
95
84
96
85
In this example, you set the threshold to 25% so you can see the watch execute its actions. In a real-world scenario, this threshold is likely too low because the alerts will be too frequent. Once you are done experimenting, you should delete the alert. Find the alert on the Watcher overview page and click the trash icon in the **Actions** column.
97
86
98
-
99
87
### Edit the alert [_edit_the_alert]
100
88
101
89
Alternatively, you can keep the alert and adjust the threshold value. To edit an alert, find the alert on the Watcher overview page and click the pencil icon in the **Actions** column.
102
90
103
-
104
91
## View watch history and status [watcher-getting-started]
105
92
106
93
The Watcher overview page lists your watches, including the state of each watch, when its condition was last met, when the condition was last checked, and whether any of its actions have been acknowledged, throttled, or failed to execute. Each watch can be in one of three states:
@@ -111,41 +98,35 @@ The Watcher overview page lists your watches, including the state of each watch,
111
98
112
99
From this page you can drill down into a watch to investigate its history and status.
113
100
114
-
115
101
### View watch history [_view_watch_history]
116
102
117
103
The **Execution history** tab shows each time the watch is triggered and the results of the query, whether the condition was met, and what actions were taken.
118
104
119
105
![Execution history tab](../../../images/kibana-execution-history.png"")
120
106
121
-
122
107
### Acknowledge action status [_acknowledge_action_status]
123
108
124
109
The **Action statuses** tab lists all actions associated with the watch and the state of each action. Some actions can be acknowledged, which will prevent too many executions of that action for the relevant watch. See [Acknowledgement and throttling](../../../explore-analyze/alerts-cases/watcher/actions.md#actions-ack-throttle) for details.
125
110
126
111
![Action status tab](../../../images/kibana-alerts-status.png"")
127
112
128
-
129
113
## Deactivate and delete a watch [watcher-deactivate]
130
114
131
115
Actions for deactivating and deleting a watch are on each watch detail page:
132
116
133
117
***Deactivate a watch** if you know a situation is planned that will cause a false alarm. You can reactivate the watch when the situation is resolved.
134
118
***Delete a watch** to permanently remove it from the system. You can delete the watch you are currently viewing, or go to the Watcher overview, and delete watches in bulk.
135
119
136
-
137
120
## Create an advanced watch [watcher-create-advanced-watch]
138
121
139
122
Advanced watches are for users who are more familiar with {{es}} query syntax and the Watcher framework. The UI is aligned with using the REST APIs. For more information, see [Query DSL](../../../explore-analyze/query-filter/languages/querydsl.md).
140
123
141
-
142
124
### Create the watch [_create_the_watch]
143
125
144
126
On the Watch overview page, click **Create** and choose **Create advanced watch**. An advanced watch requires a name and ID. Name is a user-friendly way to identify the watch, and ID refers to the identifier used by {{es}}. Refer to [Watch definition](../../../explore-analyze/alerts-cases/watcher/how-watcher-works.md#watch-definition) for how to input the watch JSON.
0 commit comments