Using the API we can get the index of the alert that it is being used
curl
--request GET 'https://localhost:5601/api/alerting/rules/_find' \
If I want to use a query which default dataview or default index for all alert rule should i be looking at?
I was trying to find from the official Elasticsearch documentation for Elastic Stack Monitoring Integration but to no avail.
We are reindexing our index. So we are not sure if that will impact any of our alerts.
Kindly advice
Hello @Whoami1980
I am not sure what is the exact query. The below index i see has information about alert status for all spaces :
.kibana_alerting_cases_*
Thanks!!
the ".kibana_alerting_cases_*" return values but not the data view below.
btw is your screenshot . analytics >> discover >> dataview.
cause i try to put ".kibana_alerting_cases_*" but cant find in the gui
Hello @Whoami1980
You need to create a dataview with the index pattern if you want to use a dataview.
Thanks!!
Maybe i have not been clear. the reason we are using the query is because
we want to query what dataview or default index is currently configured for all our alert rule
hope that clarifies
You should use the API to get this information.
The rules will be saved internally in Kibana as saved objects, it is no something that you can simple make a query to an index, there is no documentation on how and where they are stored as it is expected that the detection rules API to be used in this case.
If you want you can query the .internal.alerts-security* indices, this is where the alerts that triggered will be stored, you have some information about the rules that triggered the alert.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
