I'm interacting with the Elastic 8.1 free version.
Some alert rules are created that way, that alerts will be active forever I would like to close such alerts manually - for example, an alert informing that the docker container is down and is planned to be down forever.
You are correct. I have mixed up the documentation of the types of alerts. I'm looking for closing Observality Alerts, not Cyber Security Alerts.
I know the concept of an Alert Rule, which should define the condition when the Alert is Active and outside this condition is Recovered. The issue in my case is some alerts can remain active forever. I will give an example for better understanding.
There is Alert Rule to check if the docker container is exited/stopped. The condition is based on the metric threshold - when the document count is below or equals 0 for the last 5 minutes - then the alert is active. Alerts are grouped by environment, agent.hostname and container.name.
When the container is down, there are no metrics about this particular container name on a particular hostname for 5 minutes, and the alert is active. When the container is started - the alert is recovered. That is the expected scenario.
But there can be a scenario where someone manually runs a temporary container that started once, exited, and will never be rerun on that host. Then observability alert remains active, and there is no possibility for UI to close it.
Is there a way how to treat such alerts? I found one workaround, but that requires temporary editing of the existing rule two times, which I would like to avoid.
Hmm not that I know of off hand If I understand what you're asking for... Basically when a container comes online he gets monitored, goes offline the alert fires and because it never comes back online it never sends a recovered alert.
perhaps open a feature request.
Also, there is a lot of work going on on alerts right now so your three significant releases behind so you might check if there's something different in 8.4.
I understand 8.5 and 8.6 there will be more work on the alerts management.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.