How to set alert on total size of indices matching a pattern?

ppine7 · April 17, 2023, 6:37pm

Hi!
I've posted this question on SO: elastic stack - Elasticsearch how to set alert on total size of indices matching a pattern? - Stack Overflow but am re-posting it here in hopes to get a more focused audience

I would like to set an Alert Rule in Elastic - to trigger an alert when a total size of indices, matching a specific pattern, exceeds some limit.

I know how to get the total size by running a query:

GET /.ds-elastic-cloud-logs*/_stats

this would give me:

...
"_all": {
"primaries": {
  "docs": {
    "count": 12865686,
    "deleted": 0
  },
  "shard_stats": {
    "total_count": 5
  },
  "store": {
    "size_in_bytes": 2205540490,
    "total_data_set_size_in_bytes": 2205540490,
    "reserved_in_bytes": 0
  },
...

and the value I'm looking for is: "size_in_bytes": 2205540490

But I could not find how to create an alert based on this value...
I looked at the "index threshold" type of alerts: Index threshold | Kibana Guide [master] | Elastic - and while I am able to specify the index pattern (.ds-elastic-cloud-logs*) in the rule - the "size-in-bytes" field is not available for use in the alert...

Also looked at the "elasticsearch query" type of alerts: Elasticsearch query | Kibana Guide [master] | Elastic - but I can only get a count of documents returned by a query to be used as the metric, not the size of indices ...

Any other way to achieve what I want?
Thank you!
Marina

grfneto · April 17, 2023, 9:20pm

Hi @ppine7

Have you tried to create a pipeline that gets information from the _stats API and saves it in another index? In this other index that will make the storage summary, you can create an alert for the desired field. Another possibility, if applicable to your scenario, is the use of ILM to manage your index storage and perform the rollup.
ILM: Manage the index lifecycle | Elasticsearch Guide [8.7] | Elastic

Best regards

vincenbr · April 17, 2023, 9:58pm

Hi,
I am afraid you cannot (at least for now) call an arbitrary API with Kibana alert Rules.
I would go with the Watcher, which is more flexible. You could get inspiration from sample Watches repo, like this one: examples/Alerting/Sample Watches/large_shard_watch at master · elastic/examples · GitHub

ppine7 · April 18, 2023, 1:48pm

Thank you, @grfneto ! I was looking for something out of the box for Alerts - will keep this option in mind too. And I do use ILM - but wanted to add alerts as a precaution as well.

ppine7 · April 18, 2023, 1:50pm

Thank you, @vincenbr ! I was hoping to have an out-of-the-box option like that for Alerts - will keep the Watch approach in mind - although as I checked the GIT repo example - it does look quite intimidating

Topic		Replies	Views
Watcher alert for index sizes Kibana elastic-stack-alerting , painless	2	567	June 28, 2022
Get alerting from _stats Elasticsearch elastic-stack-alerting	4	505	June 7, 2019
How to monitor indices (doc count, size...) Elasticsearch elastic-stack-monitoring	8	2566	May 31, 2022
How to monitor the size of elasticsearch index Elasticsearch	1	163	March 18, 2025
Watcher for index size Elasticsearch	3	1287	April 18, 2019

How to set alert on total size of indices matching a pattern?

Related topics