Alerting API. Where can I find alert_id?

oandreiev · July 27, 2022, 9:17am

Hello,

I'm trying to use Kibana's alerting api for muting an alert. It looks like this:
POST <kibana host>:<port>/api/alerting/rule/<rule_id>/alert/<alert_id>/_mute

Where I can find the alert_id?
I've thought that I can grab it from the received alert document, but it seems instead of alert.id it provides '*' in case of no grouping and group field's value in case of grouping:

          "date" : "2022-07-27T08:58:30.524Z",
          "alert" : """{"id":"*","actionGroup":"metrics.threshold.fired","actionGroupName":"Alert"}""",
          "context" : """{"group":"*","alertState":"ALERT","reason":"container.cpu.usage is 0.04102938622236252 in the last 25 secs for all hosts. Alert when > 0.04.","viewInAppUrl":"https://kb:5601/app/metrics/explorer","timestamp":"2022-07-27T08:58:05.514Z","value":{"condition0":0.04102938622236252},"threshold":{"condition0":[0.04]},"metric":{"condition0":"container.cpu.usage"}}""",
          "rule" : """{"id":"af981d9e-3fc9-43cd-877b-e9fdc6590902","name":"cpu-dpls-main","type":"metrics.alert.threshold","spaceId":"default","tags":[]}"""
        }

The only way I see for now is grabbing it from the .internal.alerts-observability.* index. But it is not very convenient.

What is the correct way for the alert.id receiving?

Thank you!

Patrick_Mueller · July 27, 2022, 12:43pm

Alert id's are strings generated by alerting rules, and are typically specific to the rule, and often how the rule does grouping. For instance, some rules may provide a service/service name as the alert id.

It seems like in this case, * IS the alert id, given the document you provided. Did you generate the document from an index action attached to the alerting rule? Could you provide the body used for that action, I'm curious if something may have happened between the alert being generated and the document being written. If not generated from an index action, how did you get that data?

oandreiev · July 28, 2022, 8:15am

Thank you for your feedback, Patrick!

Yes, I figured out that * works as id.

But it's really confusing. In an example here UUID string is used.
Probably it worth to mention this information there.

It seems like the problem is resolved how, thanks!

Patrick_Mueller · July 28, 2022, 1:17pm

Probably it worth to mention this information there.

Good point! I'll open an issue to update the docs for the mute/unmute instance in that regard.

Topic		Replies	Views
Is it possible to set Alert IDs in Kibana Alerting similar to watcher? Elastic Observability elastic-stack-alerting	2	612	November 4, 2022
Request API to obtain active alerts Elasticsearch elastic-stack-alerting , docker	5	1902	April 18, 2023
Rule with index connector - issue with {{alert.id}} Elastic Observability elastic-stack-alerting	5	435	February 1, 2023
Active alert from deleted rule Elasticsearch elastic-stack-alerting	2	1026	March 13, 2023
The original document/raw event can't be found Elastic Security	3	117	July 30, 2025

Alerting API. Where can I find alert_id?

Related topics