Custom Threshold not triggering alert to index

Dave_Houser · April 25, 2025, 6:04pm

I tried to create a rule using custom threshold to write to an index for the alert action.
Running 8.13.

I created the index, and mappings ahead of time
I added the connector + the index
I tested the rule by going below the threshold, I see the alert triggers in the rule (But the index never gets populated) Contents of action trigger here:
```
{
  "@timestamp": "{{date}}",
  "alert_id": "{{alert.id}}",
  "rule_name": "{{rule.name}}",
  "foo": "bar"
}
```
I tested the connector by running a test, and the index gets populated each time I do.
I tried creating new indexes and rules, same problem every time.
I made sure I had correct roles + spaces enabled (maybe I missed something here?)
I tried creating a rule that used "log threshold" instead. This actually works, and the index gets a document per alert.
I tried all of this on a separate cluster, same results.

No matter what, the alert refuses to trigger the action.
Why do custom thresholds not trigger index actions?

Dave_Houser · April 30, 2025, 1:00pm

I upgraded to 8.18. same problem.
The only thing that seems to work is setting the alert action frequency from "For each alert - on status changes" to "Summary of alerts - on check intervals"
But this will just keep sending an alert to the index if the alert is triggered.
I don't want that.
I want just one alert sent to the index if the alert happens. And once its resolved send another alert.
Does anyone else have this issue? Am I the only one?
Can anyone help please?

I created a ticket for this on Kibana github, a while back. I just updated the post here

github.com/elastic/kibana

[Alerts] Customer Threshold not triggering alert to index

opened 05:57PM - 25 Apr 25 UTC

davehouser1

bug triage_needed Team: SecuritySolution

**Describe the bug:** Custom Thresholds are not triggering alerts to Indexes **…Kibana/Elasticsearch Stack version:** 8.18 **Server OS version:** <Pod based> **Browser and Browser OS versions:** MS Edge Version 135.0.3179.54 **Elastic Endpoint version:** N/A? **Original install method (e.g. download page, yum, from source, etc.):** pod deployment **Functional Area (e.g. Endpoint management, timelines, resolver, etc.):** alerting / rules **Steps to reproduce:** 1. Created an rule to alert on, made method "custom threshold" 2. Conditional, if all logs are < 100 logs p/s, alert for `logs-*` data-view 3. Made alert trigger to write to an index. Index contents``` ``` { "@timestamp": "{{date}}", "alert_id": "{{alert.id}}", "rule_name": "{{rule.name}}", "foo": "bar" } ``` 3. Manually created index with direct mappings. **Current behavior:** Alert shows active when conditional is true, but index does no documents. If I go to the connector, and run a test, the index gets a document. There is some disconnect from the alert trigger to the index. **Expected behavior:** Alert should show active, and the index should get a document per alert. **Screenshots (if relevant):** **Errors in browser console (if relevant):** **Provide logs and/or server output (if relevant):** **Any additional context (logs, chat logs, magical formulas, etc.):** I tried testing with a different method. I tried using Log threshold, and that works fine. Alert becomes active, and the trigger happens and the index is populated. Note I tried the same setup on a completely separate cluster, same thing happens.

Topic		Replies	Views
Rule not trigger Kibana elastic-stack-alerting	2	374	January 4, 2023
Kibana Alerts and Actions on index Threshold? Kibana elastic-stack-alerting	3	559	September 21, 2021
Threshold rules not triggering on selfmade index SIEM elastic-stack-alerting	16	1998	November 6, 2020
Kibana Index Threshold Alert doesn't report 0 document Kibana elastic-stack-alerting	10	285	April 30, 2025
Alert Rules - doesn't run by using rule type "elasticsearch query" Kibana	0	21	April 1, 2025

Custom Threshold not triggering alert to index

Related topics