From d9cf120a77b35c27913d75bf8fe80a272971b88d Mon Sep 17 00:00:00 2001 From: Ersin Erdal Date: Tue, 25 Nov 2025 16:17:52 +0100 Subject: [PATCH] Add "How to query alert indices" page --- .../alerts-cases/alerts/query-alerts.md | 189 ++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 explore-analyze/alerts-cases/alerts/query-alerts.md diff --git a/explore-analyze/alerts-cases/alerts/query-alerts.md b/explore-analyze/alerts-cases/alerts/query-alerts.md new file mode 100644 index 0000000000..fcc6ab5174 --- /dev/null +++ b/explore-analyze/alerts-cases/alerts/query-alerts.md @@ -0,0 +1,189 @@ +--- +navigation_title: How to query alert indices +mapped_pages: + - https://www.elastic.co/guide/en/kibana/current/query-alerts.html +applies_to: + stack: ga + serverless: ga +products: + - id: kibana +--- + +# How to query alert indices [view-alerts] + +## Index Names + +On **Serverless** alerts are stored in [datastreams](https://www.elastic.co/docs/manage-data/data-store/data-streams), on on-prem and Elastic Cloud Hosted (ECH) they are stored in the indices. + +All the alert index names consist of 5 parts: + +All of them start with `.internal.alerts-` prefix. +Then the `context`, `dataset`, `space-Id` and `version number` parts follow it. + +An index name template:
+`.internal.alerts-{{context}}.{{dataset}}-{{space-id}}-{{version-number}}` + +
+
+ +**context:** Usually the product group that the rule type belongs to. Such as Stack, Observability and Security. + +**dataset:** “alert” for the alert indices. + +**space-id:** Only the security rules are space-specific. All the other rules write into default for all spaces. + +**version-number:** This starts from 000001 and gets increased by 1 as the index is rolled over +

+ +
+ +An example alert index name of the Elasticsearch Query rule:
+**.internal.alerts-stack.alerts-default-000001** + +## Index aliases + +All the alert indices have an alias too. + +They start with `.alerts` prefix, then `context`, `dataset`, `space-Id` follows it. + +Alias template:
+`.alerts-{{context}}.{{dataset}}-{{space-id}}` + +An example alias for the Elasticsearch Query rule index:
+`.alerts-stack.alerts-default` + +**Note:** Only the security rules are space-specific, other rule types use the `default` space. + +
+ +You can find the index names and aliases per rule type in the below table. + +| Index name / Alias | Rules | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|
`default`

**Index name:**
`.internal.alerts-default.alerts-default-000001`

**Alias:**
`.alerts-default.alerts-default`









|
**STACK MONITORING**

CCR read exceptions,
Cluster health,
CPU Usage,
Disk Usage,
Elasticsearch version mismatch,
Kibana version mismatch,
License expiration,
Logstash version mismatch,
Memory Usage (JVM),
Missing monitoring data,
Nodes changed,
Shard size,
Thread pool search rejections,
Thread pool write rejections | +| `stack`

**Index name:**
`.internal.alerts-stack.alerts-default-000001`

**Alias:**
`.alerts-stack.alerts-default` | **STACK ALERTS**

Elasticsearch query,
Index threshold,
Degraded docs,
Tracking containment,
Transform health | +|
`Observability.apm`

**Index name:**
`.internal.alerts-observability.apm.alerts-default-000001`

**Alias:**
`.alerts-observability.apm.alerts-default` |
**APM AND USER EXPERIENCE**

APM Anomaly,
Error count threshold,
Failed transaction rate threshold,
Latency threshold


| +|
`ml.anomaly-detection-health`

**Index name:**
`.internal.alerts-ml.anomaly-detection-health.alerts-default-000001`

**Alias:**
`.alerts-ml.anomaly-detection-health.alerts-default` |
**MACHINE LEARNING**

Anomaly detection jobs health




| +|
`ml.anomaly-detection`

**Index name:**
`.internal.alerts-ml.anomaly-detection.alerts-default-000001`

**Alias:**
`.alerts-ml.anomaly-detection.alerts-default` | **MACHINE LEARNING**

Anomaly detection




| +|
`ml.observability.uptime`

**Index name:**
`.internal.alerts-stack.alerts-default-000001`

**Alias:**
`.alerts-stack.alerts-default` |
**SYNTHETICS AND UPTIME**

Synthetics monitor status,
Synthetics TLS certificate



| +|
`ml.observability.metrics`

**Index name:**
`.internal.alerts-ml.observability.metrics.alerts-default-000001`

**Alias:**
`.alerts-ml.observability.metrics.alerts-default` |
**INFRASTRUCTURE**

Metric threshold,
Inventory




| +|
`ml.observability.threshold`

**Index name:**
`.internal.alerts-ml.observability.threshold.alerts-default-000001`

**Alias:**
`.alerts-ml.observability.threshold.alerts-default` |
**OBSERVABILITY**

Custom Threshold




| +|
`ml.observability.slo`

**Index name:**
`.internal.alerts-ml.observability.logs.alerts-default-000001`

**Alias:**
`.alerts-ml.observability.logs.alerts-default` |
**SLOs**

SLO burn rate




| +|
`ml.observability.logs`

**Index name:**
`.internal.alerts-ml.observability.slo.alerts-default-000001`

**Alias:**
`.alerts-ml.observability.slo.alerts-default` |
**LOGS**

Log Threshold




| +|
`ml.dataset.quality`

**Index name:**
`.internal.alerts-ml.dataset.quality.alerts-default-000001`

**Alias:**
`.alerts-ml.dataset.quality.alerts-default` |
Degraded docs






| +|
`ml.streams`

**Index name:**
`.internal.alerts-ml.streams.alerts-default-000001`

**Alias:**
`.alerts-ml.streams.alerts-default` |
**STREAMS**

ES\|QL Rule




| +|
`security.attack.discovery`

**Index name:**
`.internal.alerts-security.attack.discovery.alerts-{{your-space-id}}-000001`

**Alias:**
`.alerts-security.attack.discovery.alerts-{{your-space-id}}` |
**SECURITY**

Attack Discovery Schedule




| +|
`security`

**Index name:**
`.internal.alerts-security.alerts-{{your-space-id}}-000001`

**Alias:**
`.alerts-security.alerts-{{your-space-id}}` |
**SECURITY**

All the other security rules




| + +## Queries + +You can simply search for an alert by using `.internal.alerts-*` **index pattern** or the **index alias**. +

+ +### To get all the alerts: + +The below query returns top 100 alerts you have from all the alert indices you have. + +```json +GET /.internal.alerts-*/_search +{ + "query": { + "match_all": {} + }, + "size":100 +} +``` + +### To get mapping of an alert index: + +An example for the Elasticsearch query rule: + +With its index name: + +```json +GET /.internal.alerts-stack.alerts-default-000001/_mapping +``` + +Or with its alias: + +``` +GET /.alerts-stack.alerts-default/_mapping +``` + +### To get only the active/recovered alerts + +Replace the `kibana.alert.status` value with recovered for the recovered alerts + +```json +GET /.internal.alerts-*/_search +{ + "query": { + "bool": { + "filter": [{ "term": { "kibana.alert.status": "active" } }] + } + }, + "size": 100 +} +``` + +### To query the alerts of a specific rule + +Replace the `kibana.alert.rule.uuid` value with your rule id + +```json +GET /.internal.alerts-*/_search +{ + "size": 100, + "query": { + "bool": { + "filter": [ + { "term": { "kibana.alert.rule.uuid": "--your-rule-id--" } } + ] + } + } +} +``` + +### To query the alerts that are generated within a specific time window + +Replace the `kibana.alert.status` value with recovered for the recovered alerts + +```json +GET /.internal.alerts-*/_search +{ + "query": { + "bool": { + "filter": [ + { "term": { "kibana.alert.status": "recovered"}}, + { + "range": { + "@timestamp": { + "gte": "now-60m", + "lte": "now" + } + } + } + ] + } + }, + "size": 100 +} +``` + +### To query the alerts of a specific rule type + +Replace the `kibana.alert.rule.category` value with your rule type name + +```json +GET /.internal.alerts-*/_search +{ + "query": { + "bool": { + "filter": [ + { "term": { "kibana.alert.rule.category": "Elasticsearch query"}} + ] + } + }, + "size": 100 +} +```