[Integrations] Draft Alerting Rule Template common page #4072
+71
−9
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| applies_to: | ||
| stack: ga 9.3 | ||
| serverless: ga | ||
| products: | ||
| - id: fleet | ||
| - id: elastic-agent | ||
| navigation_title: Alerting rule templates | ||
alaudazzi marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| --- | ||
|
|
||
| # Alerting Rule Templates [alerting-rule-templates] | ||
|
|
||
| Alerting rule templates are out-of-the-box, preconfigured rule definitions maintained by Elastic integration authors. They help you start monitoring in minutes—no queries to write, no thresholds to figure out—by providing curated {{esql}} queries, sensible defaults, and recommended thresholds tailored to each integration. Templates are available from an integration’s Assets and open a prefilled rule creation form you can adjust and enable. | ||
alaudazzi marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
alaudazzi marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Install or upgrade to the latest version of the integration that includes alerting rule templates. | ||
| - Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. | ||
|
There was a problem hiding this comment.
i think our naming conventions for the template names makes it fairly clear which data the rule is targeting, but there's no well defined way to find the 'relevant data stream'. There was a problem hiding this comment. Instead of using the data stream mention, we could modify this to.
|
||
| - {{stack}} 9.2.1 or later. | ||
| - Appropriate {{kib}} role privileges to create and manage rules in the current space. | ||
| - Optional: One or more connectors (for example, email, Slack, webhook) to route alert notifications. | ||
alaudazzi marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ## How to use the Alerting Rule Templates | ||
|
|
||
| Alerting rule templates come with recommended, pre-populated values. To use them: | ||
alaudazzi marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| 1. In {{kib}}, go to **{{manage-app}}** > **{{integrations}}**. | ||
| 1. Find and open the integration. | ||
| 1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. | ||
| 1. Select a template to open a prefilled Create rule form. | ||
| 1. Review and (optionally) customize the prefilled settings, then save and enable the rule. | ||
|
|
||
| When you click a template, you get a prefilled **Create Rules** form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. | ||
alaudazzi marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| The preconfigured defaults typically include: | ||
alaudazzi marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| - **{{esql}} query** | ||
| : A curated, text-based query that evaluates your data and triggers when matches are found during the latest run. | ||
| - **Recommended threshold** | ||
| : A suggested threshold embedded in the {{esql}} `WHERE` clause. You can tune the threshold to fit your environment. | ||
| - **Time window (look-back)** | ||
| : The length of time the rule analyzes for data (for example, the last 5 minutes). | ||
| - **Rule schedule** | ||
| : How frequently the rule checks alert conditions (for example, every minute). | ||
| - **Alert delay (alert suppression)** | ||
| : The number of consecutive runs for which conditions must be met before an alert is created. | ||
|
|
||
| For details about fields in the Create rule form and how the rule evaluates data, refer to the [{{es}} query rule type](/explore-analyze/alerts-cases/alerts/rule-type-es-query.md). | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.