View and manage alerts in Kibana
Stack Serverless
When the conditions of a rule are met, it creates an alert. If the rule has actions, they run at the defined frequency. For example, the rule can send email notifications for each alert at a custom interval. For an introduction to the concepts of rules, alerts, and actions, refer to Alerting.
You can manage the alerts for each rule in Stack Management > Rules. Alternatively, manage all your alerts in Stack Management > Alerts.
You must have the appropriate Kibana alerting features and index privileges to view alerts. Refer to Alerting security requirements.
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
In Stack Management > Alerts, you can filter the list (for example, by alert status or rule type) and customize the filter controls. To search for specific alerts, use the KQL bar to create structured queries using Kibana Query Language.
By default, the list contains all the alerts that you have authority to view in the selected time period except those associated with Security rules. To view alerts for Security rules, click the query menu and select Security rule types:
Alternatively, view those alerts in the Elastic Security app.
To get more information about a specific alert, open its action menu (…) and select View alert details in either Stack Management > Alerts or Rules. There you’ll see the current status of the alert, its duration, and when it was last updated. To help you determine what caused the alert, there is information such as the expected and actual threshold values and a summarized reason for the alert.
If an alert is affected by a maintenance window, the alert details include its identifier. For more information about their impact on alert notifications, refer to Maintenance windows.
There are four common alert statuses:
active- The conditions for the rule are met. If the rule has actions, Kibana generates notifications based on the actions' notification settings.
flapping- The alert is switching repeatedly between active and recovered states. If the rule has actions that run when the alert status changes states, those actions are suppressed while the alert is flapping.
Alert flapping is turned on by default. You can modify the criteria for changing an alert's status to the flapping state by configuring the Alert flapping detection settings. To do this, navigate to the Alerts page in the main menu, or use the global search field. Next, click Manage Rules, then Settings to open the global rule settings for the space. In the Alert flapping detection section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert.
recovered-
The conditions for the rule are no longer met. If the rule has recovery actions, Kibana generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one.
An active alert changes to recovered if the conditions for the rule that generated it are no longer met.
A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the Alert status change threshold setting, which you can configure under the Alert flapping detection settings.
For example, if the threshold requires an alert to change status at least 6 times in the last 10 runs to be considered flapping, then to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered.
Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status.
untracked- The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the Alerts table, click the icon to expand the More actions menu, and click Mark as untracked. When an alert is marked as untracked, actions are no longer generated and the alert's status can no longer be changed. You can choose to move active alerts to this state when you disable or delete rules.
If an alert is active or flapping, you can mute it to temporarily suppress future actions. In Stack Management > Alerts, open the action menu (…) for the appropriate alert, then select Mute. While muted, the alert's status will continue to update but rule actions won't run. All future alerts with the same alert ID will also be muted.
To permanently suppress an alert's actions, open the actions menu for the appropriate alert, then select Mark as untracked. In this case, the alert's status is no longer updated and actions are no longer run. These changes are only applied to the alert that you untracked and cannot be reverted. Future alerts with the same alert ID are unaffected.
To affect the behavior of the rule rather than individual alerts, check out Snooze and disable rules.
Stack Serverless
Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by running an alert cleanup task, which deletes alerts according to the criteria that you define.
The alert cleanup task permanently deletes alerts in your .alert-* indices. Make sure to take regular snapshots of your cluster to back up your alert data in case you ever need to restore it.
- To run the alert cleanup task, your role must have
Allprivileges for the Alert deletion feature. When setting your role’s Kibana privileges, go to Management > Rule Settings, enable Customize sub-feature privileges, then selectAllfor the Alert deletion feature. - Alerts in your space must be older than a day. The minimum threshold for the alert cleanup task is one day.
Remove old or rarely-accessed alerts in your space by running an alert cleanup task, which deletes alerts according to the criteria that you define. Alerts that are attached to cases are not deleted.
Open the Rules page by going to Stack Management > Alerts and Insights > Rules in the main menu or using the global search field.
Click Settings to open the settings for all rules in the space.
In the Clean up alert history section, click Clean up.
Define criteria for the alert cleanup task. You can choose to delete alerts that are active or inactive and meet a certain age.
TipAt the bottom of the modal, you can find a preview of the number of alerts that will be deleted according to the criteria that you define.
Active alerts: Choose to delete alerts that haven't had their status changed since they were initially generated and are older than the threshold that you specify.
For example, if you specify two years as the threshold, the cleanup task will delete alerts that were generated more than two years ago and have never had their status changed.
Inactive alerts: Choose to delete alerts that have had their statuses changed since they were initially created and are older than the threshold that you specify. Inactive alerts have had their status changed to recovered, closed, acknowledged, or untracked.
For example, if you specify two years, the cleanup task will delete alerts that have had their status changed to recovered, closed, acknowledged, or untracked more than two years ago.
Enter Delete to verify that you want to run the alert cleanup task, then click Run cleanup task.
A message confirming that the alert cleanup task has started running appears. This information is also provided at the top of the alert cleanup modal in the Last cleanup task: details field. Note the field doesn't display in the modal until an alert cleanup task is run.