Kibana Alerts from API

PaulMess · August 16, 2020, 11:14pm

Can I create an alert using the kibana API?

aaron-nimocks · August 16, 2020, 11:34pm

What kind of alert are you looking to do?

A watcher could work for you and you can create them via an API.

https://www.elastic.co/guide/en/elasticsearch/reference/current/watch-cluster-status.html

PaulMess · August 17, 2020, 12:54am

Yes, In deed.
but watcher is a Gold (and superior) subscription feature

aaron-nimocks · August 17, 2020, 1:29am

I went in and created one using the UI and just recorded the API calls.

POST /api/alert

{"params": {
 "numTimes":5,
 "timerangeUnit":"m",
 "timerangeCount":15
 },
 "consumer":"alerting",
 "alertTypeId":"xpack.uptime.alerts.monitorStatus",
 "schedule": {"interval":"1m"},
 "actions":[],
 "tags":["tags1"],
 "name":"Test Alert"
}

So yes, there is an API to create alerts. Now depending on where you want to call this API from is a different question on whether it will work or not and I couldn't find anything to tell you one way or another.

PaulMess · August 17, 2020, 8:48pm

Sounds great! but, how you do that?

I am trying:

curl -s -u myuser:mypass  -XPOST "http://mykibanahost:5601/api/alert" \
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: true' \
-d'{
 "params": {
 "numTimes":5,
 "timerangeUnit":"m",
 "timerangeCount":15
 },
 "consumer":"alerting",
 "alertTypeId":"xpack.uptime.alerts.monitorStatus",
 "schedule": {"interval":"1m"},
 "actions":[],
 "tags":["tags1"],
 "name":"Test Alert"
}'

but I am getting:

{"statusCode":400,"error":"Bad Request","message":"params invalid: [timerange.from]: expected value of type [string] but got [undefined]"}

aaron-nimocks · August 17, 2020, 8:53pm

Looks like it wants a timerange.from parameter also. Maybe you are using a different version than I tested.

I am not sure you can even do this. I tested this by just adding a new alert and looked at the network API call in browser tools.

I could not find any documentation that actually let's you do this.

PaulMess · August 17, 2020, 8:57pm

Oh, sorry I forget mention the version.
I am using a docker image from docker.elastic.co/kibana/kibana:7.7.0

aaron-nimocks · August 17, 2020, 9:02pm

In Kibana go to Alerts and Actions. Click Create Alert.

Open the dev tools in your browser. Typically F12.
Go to the Network tab.

Now fill in your alert you want to create for a test. When you save it you will see a new entry in the developer tool. I think it's called alert. If you click on that you can see the API call that was made to create that alert.

Without official documentation and support of this API I can't really steer you in any other direction.

PaulMess · August 17, 2020, 11:48pm

Thanks Aaron!
I got it now.

I was able to create a conector

    curl -s -u myuser:mypass  -XPOST "http://mykibanahost:5601/api/action" \
    -H 'Content-Type: application/json' \
    -H 'kbn-xsrf: true' \
    -d'{"actionTypeId":".index","config":{"index":"alerts","executionTimeField":null},"secrets":{},"name":"default"}'

and an Alert

    curl -s -u myuser:mypass  -XPOST "http://mykibanahost:5601/api/alert" \
      -H 'Content-Type: application/json' \
      -H 'kbn-xsrf: true' \
    -d'{"params":{"aggType":"count","termSize":5,"thresholdComparator":">","timeWindowSize":5,"timeWindowUnit":"m","groupBy":"all","threshold":[5000],"index":["st
    "consumer":"alerting","alertTypeId":".index-threshold","schedule":{"interval":"5m"},"actions":[{"id":"ed380f8a-cb95-4c0c-971b-32bbc3c93a95","actionTypeId":".i
    [{"alertId":"{{alertId}}","alertName":"{{alertName}}","date":"{{context.date}}","value":"{{context.value}}"}]}}],"tags":[],"name":"alert01","throttle":"10m"}'

Rest Regards, Paul

aaron-nimocks · August 18, 2020, 12:02am

Very nice. Well done!

system · September 15, 2020, 12:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.