How to trigger a webhook with KQL?

Sandra_Schlichting · February 18, 2021, 10:01pm

Dear all =)

I would like to create an alert that triggers a webhook each time host:10.10.10.10 is found in the log stream example_test.

When I click on " Stack Management" and then "Create Alert" I get presented with the options

Index Threshold
Inventory
Log threshold
Metric threshold
Uptime monitor status
Uptime TLS

and each looks like SQL statements and not KQL.

Question

Can anyone tell me how I can have a KQL statement evaluated each minute, and if it finds a hit, then trigger a webhook?

Hugs,
Sandra =)

stephenb · February 18, 2021, 3:42pm

Hi @Sandra_Schlichting Welcome to the community.

Interestingly there is no simple alert based on a KQL query (yet) ... I believe that is coming in a future release, an alert based on the Full DSL is coming soon, I suspect KQL will come after that.

First you will need to create a webhook connector and test it, you can do that through the create connector setup.

Today I would use the Log Threshold alert.

First there is a little un-intuitive process to use the Log Threshold Alert. The log index needs to be added to the Logs UI. That make that index (or index pattern) available for the Logs View and Alerting functionality (I asked for that dependency to be removed)

Then I would create the threshold like this of course using your field(s)

Then create your action based on the webhook...

Lets us know how is goes, is there more than that that you want to do?

Sandra_Schlichting · February 18, 2021, 10:08pm

Dear Stephen =)

That is a very interesting workaround. Thanks a lot!

Ideally would I like to create all of this over the Kibana REST API. Would that be possible?

Hugs,
Sandra =)

stephenb · February 18, 2021, 10:25pm

The alerting API is in progress / iterating but the plan is to make all the Alerting Capabilities available via and API (a highly requested feature) . Stay Tuned!

Sandra_Schlichting · February 18, 2021, 11:29pm

I can imagine =)

So does that mean, that the above isn't currently supported over the API?

stephenb · February 18, 2021, 11:36pm

Correct : The API it is in the processes of getting documented / refined, so it is not released / supported today.

Sandra_Schlichting · February 24, 2021, 3:02pm

Do you know if there exist a feature request ticket for KQL in Kibana Watchers, I can subscribe to?

stephenb · February 26, 2021, 11:37am

Hi @Sandra_Schlichting

Lets clarify Terminology a bit

Watcher is the legacy / code only alerting and notification framework (which I think you are not referring to... perhaps you are)

Kibana Alerting is the new framework which I think we are discussing, and yes there is a feature request / issue... you can find it here. (I had it opened as a result of our conversation) of course there are many items in the backlog so I can not speak to its priority or schedule. I do know that the DSL search for Kibana Alerting is a pretty high priority.