I'm trying to use Kibana's alerting api for muting an alert. It looks like this: POST <kibana host>:<port>/api/alerting/rule/<rule_id>/alert/<alert_id>/_mute
Where I can find the alert_id?
I've thought that I can grab it from the received alert document, but it seems instead of alert.id it provides '*' in case of no grouping and group field's value in case of grouping:
"date" : "2022-07-27T08:58:30.524Z",
"alert" : """{"id":"*","actionGroup":"metrics.threshold.fired","actionGroupName":"Alert"}""",
"context" : """{"group":"*","alertState":"ALERT","reason":"container.cpu.usage is 0.04102938622236252 in the last 25 secs for all hosts. Alert when > 0.04.","viewInAppUrl":"https://kb:5601/app/metrics/explorer","timestamp":"2022-07-27T08:58:05.514Z","value":{"condition0":0.04102938622236252},"threshold":{"condition0":[0.04]},"metric":{"condition0":"container.cpu.usage"}}""",
"rule" : """{"id":"af981d9e-3fc9-43cd-877b-e9fdc6590902","name":"cpu-dpls-main","type":"metrics.alert.threshold","spaceId":"default","tags":[]}"""
}
The only way I see for now is grabbing it from the .internal.alerts-observability.* index. But it is not very convenient.
What is the correct way for the alert.id receiving?
Alert id's are strings generated by alerting rules, and are typically specific to the rule, and often how the rule does grouping. For instance, some rules may provide a service/service name as the alert id.
It seems like in this case, * IS the alert id, given the document you provided. Did you generate the document from an index action attached to the alerting rule? Could you provide the body used for that action, I'm curious if something may have happened between the alert being generated and the document being written. If not generated from an index action, how did you get that data?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.