Kibana alert on index threshold

I have created an index 'foo'. I created an alert of type index threshold to send emails when any info is written in this index.
But I see that the alert has not changed to 'active' state. It stays in 'ok' and I see no emails.

Hi @sireesha_m

We can't help unless you provide the configuration of the alert.

I suspect you want to do this from the API, my suggestion would be to set up and email connector via the Kibana GUI and Test it.

Then Set up a Threshold Alert through the Kibana GUI and test it.

Then do a GET on that alert and action via the new API and use it as a template.

I just set up a new email connector and tested it.

Then I setup a threadshold alert... and I could see it was over the threshold

Saved it and it fired, these alerts have been around for a long time, they are pretty solid.

Then if I wanted to create another one the the Alerts API I would GET this one.

The API is brand new, so go slowly / be careful Let us know if there are any doc issues etc.

First I searched for it.

curl -u elastic:asldkfjhasdfkljhasldkfjhasd 'https://192blsakdjfhalskdjfhlaskdjfh.us-west1.gcp.cloud.es.io/api/alerts/_find?search_fields=name&search=threshold' | jq

And get that as an example to work from.

{
  "page": 1,
  "perPage": 10,
  "total": 1,
  "data": [
    {
      "id": "db417e40-8caf-11eb-9114-b532abbbc0df",
      "notifyWhen": "onActionGroupChange",
      "params": {
        "aggType": "count",
        "termSize": 5,
        "thresholdComparator": ">",
        "timeWindowSize": 1,
        "timeWindowUnit": "m",
        "groupBy": "all",
        "threshold": [
          400
        ],
        "index": [
          "metrics-*"
        ],
        "timeField": "@timestamp"
      },
      "consumer": "alerts",
      "alertTypeId": ".index-threshold",
      "schedule": {
        "interval": "1m"
      },
      "actions": [
        {
          "actionTypeId": ".email",
          "params": {
            "subject": "alert '{{alertName}}' is active for group '{{context.group}}':",
            "to": [
              "stephen.brown@elastic.co"
            ],
            "message": "alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
          },
          "group": "threshold met",
          "id": "e0f3b4a0-8cb1-11eb-9114-b532abbbc0df"
        },
        {
          "actionTypeId": ".slack",
          "params": {
            "message": "alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
          },
          "group": "threshold met",
          "id": "f6ebfc33-a974-41d2-ad0a-7b1b8cc714fb"
        },
        {
          "actionTypeId": ".slack",
          "params": {
            "message": "RECOVERED\n\nalert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
          },
          "group": "recovered",
          "id": "f6ebfc33-a974-41d2-ad0a-7b1b8cc714fb"
        }
      ],
      "tags": [],
      "name": "test-index-threshold",
      "enabled": true,
      "throttle": null,
      "apiKeyOwner": "4212746406",
      "createdBy": "4212746406",
      "updatedBy": "4212746406",
      "muteAll": false,
      "mutedInstanceIds": [],
      "updatedAt": "2021-03-24T15:27:27.492Z",
      "createdAt": "2021-03-24T14:47:29.779Z",
      "scheduledTaskId": "34251720-8cb4-11eb-9114-b532abbbc0df",
      "executionStatus": {
        "lastExecutionDate": "2021-03-24T17:27:33.283Z",
        "status": "ok"
      }
    }
  ]
}

then I used the id to get that individual alert

curl -u elastic:kasjfdhsalkdjfhasldfkj 'https://11k234jh123kljh12k3jh792fa.us-west1.gcp.cloud.es.io/api/alerts/alert/db417e40-8caf-11eb-9114-b532abbbc0df' | jq

{
  "id": "db417e40-8caf-11eb-9114-b532abbbc0df",
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "count",
    "termSize": 5,
    "thresholdComparator": ">",
    "timeWindowSize": 1,
    "timeWindowUnit": "m",
    "groupBy": "all",
    "threshold": [
      400
    ],
    "index": [
      "metrics-*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "alerts",
  "alertTypeId": ".index-threshold",
  "schedule": {
    "interval": "1m"
  },
  "actions": [
    {
      "actionTypeId": ".email",
      "params": {
        "subject": "alert '{{alertName}}' is active for group '{{context.group}}':",
        "to": [
          "stephen.brown@elastic.co"
        ],
        "message": "alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "group": "threshold met",
      "id": "e0f3b4a0-8cb1-11eb-9114-b532abbbc0df"
    },
    {
      "actionTypeId": ".slack",
      "params": {
        "message": "alert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "group": "threshold met",
      "id": "f6ebfc33-a974-41d2-ad0a-7b1b8cc714fb"
    },
    {
      "actionTypeId": ".slack",
      "params": {
        "message": "RECOVERED\n\nalert '{{alertName}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "group": "recovered",
      "id": "f6ebfc33-a974-41d2-ad0a-7b1b8cc714fb"
    }
  ],
  "tags": [],
  "name": "test-index-threshold",
  "enabled": true,
  "throttle": null,
  "apiKeyOwner": "4212746406",
  "createdBy": "4212746406",
  "updatedBy": "4212746406",
  "muteAll": false,
  "mutedInstanceIds": [],
  "updatedAt": "2021-03-24T15:27:27.492Z",
  "createdAt": "2021-03-24T14:47:29.779Z",
  "scheduledTaskId": "34251720-8cb4-11eb-9114-b532abbbc0df",
  "executionStatus": {
    "lastExecutionDate": "2021-03-24T17:30:42.269Z",
    "status": "ok"
  }
}

Thanks for the elaborate email.
Essentially, you are saying that we will be able to raise alerts on any index. I saw that it was possible. I was able to create a threshold alert alone.

Regardless of the API, do you know kibana alerting supports getting the "to" list from a mustache template. Specifically, I want to access the contents of the doc which contributed towards raising the alert.

For example, I have an index foo with doc1 contaning, "message" and "created_at". I want to display this message in email.
I tried to access it from {{context}}. But I don't think it's supported

That's not supported today.

Content from the source documents is not supported.

And if we dig a little deeper alerts are aggregates (I think you may be setting your threshold /aggregate to 1 but it still an aggregate) but for this example let's say your threshold was 5 documents , nothing really guarantees that message would be the same for every document counted so which message would go in the alert? The first one , the last one?

That is why the content from the source documents are not supported as I understand it.

In short the source documents are not available to the alert actions.

Yes got it, thanks for the confirmation.

Hi @sireesha_m

I was thinking... this was also just released as part of 7.12 the new DSL Query Alert

And look at this....

context.hits

The most recent ES documents that matched the query. Using the Mustache template array syntax, you can iterate over these hits to get values from the ES documents into your actions.

So you might be able to get the last / latest messages / values...

I just learned this and thought you might be interested...

That's nice. I have cluster running on 7.11 version. Is this feature generally available? I guess kibana emails and actions are available only through the gold plan.

The DSL Query is GA in 7.12

Yes Email Actions (Slack etc) start at Gold, Gold adds a lot of value for a relatively small uplift in cost

You can look here for feature vs subscription level and here for pricing