Deprecated 7.x APIsedit
These APIs are deprecated and will be removed in a future release.
Legacy create alert APIedit
Deprecated in 7.13.0.
Use Create rule instead.
Create Kibana alerts.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parametersedit
-
<id>
- (Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request bodyedit
-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
alertTypeId
- (Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.
-
schedule
-
(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under
Schedule Formats.
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the alert should execute. Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
.There are plans to support multiple other schedule formats in the near future.
-
throttle
-
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notifyWhen
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
enabled
- (Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.
-
consumer
- (Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
-
params
-
(Required, object) The parameters to pass to the alert type executor
params
value. This will also validate against the alert type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set this value to
default
. -
id
- (Required, string) The ID of the action saved object to execute.
-
actionTypeId
- (Required, string) The ID of the action type.
-
params
-
(Required, object) The map to the
params
that the action type will receive. ` params` are handled as Mustache templates and passed a default set of context.
-
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
$ curl -X POST api/alerts/alert -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d ' { "params":{ "aggType":"avg", "termSize":6, "thresholdComparator":">", "timeWindowSize":5, "timeWindowUnit":"m", "groupBy":"top", "threshold":[ 1000 ], "index":[ ".test-index" ], "timeField":"@timestamp", "aggField":"sheet.version", "termField":"name.keyword" }, "consumer":"alerts", "alertTypeId":".index-threshold", "schedule":{ "interval":"1m" }, "actions":[ { "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2", "actionTypeId":".server-log", "group":"threshold met", "params":{ "level":"info", "message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}" } } ], "tags":[ "cpu" ], "notifyWhen":"onActionGroupChange", "name":"my alert" }'
The API returns the following:
{ "id": "41893910-6bca-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", "termSize": 6, "thresholdComparator": ">", "timeWindowSize": 5, "timeWindowUnit": "m", "groupBy": "top", "threshold": [ 1000 ], "index": [ ".kibana" ], "timeField": "@timestamp", "aggField": "sheet.version", "termField": "name.keyword" }, "consumer": "alerts", "alertTypeId": ".index-threshold", "schedule": { "interval": "1m" }, "actions": [ { "actionTypeId": ".server-log", "group": "threshold met", "params": { "level": "info", "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}" }, "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2" } ], "tags": [ "cpu" ], "name": "my alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T18:03:19.961Z", "createdAt": "2021-02-10T18:03:19.961Z", "scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T18:03:19.966Z", "status": "pending" } }
Legacy delete alert APIedit
Deprecated in 7.13.0.
Use Delete rule instead.
Permanently remove an alert.
Once you delete an alert, you cannot recover it.
Requestedit
DELETE <kibana host>:<port>/api/alerts/alert/<id>
DELETE <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parametersedit
-
id
- (Required, string) The ID of the alert that you want to remove.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Delete an alert with ID:
$ curl -X DELETE api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
Legacy disable alert APIedit
Deprecated in 7.13.0.
Use Disable rule instead.
Disable an alert.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/_disable
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_disable
Path parametersedit
-
id
- (Required, string) The ID of the alert that you want to disable.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Disable an alert with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable
Legacy enable alert APIedit
Deprecated in 7.13.0.
Use Enable rule instead.
Enable an alert.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/_enable
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_enable
Path parametersedit
-
id
- (Required, string) The ID of the alert that you want to enable.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Enable an alert with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable
Legacy find alerts APIedit
Deprecated in 7.13.0.
Use Find rules instead.
Retrieve a paginated set of alerts based on condition.
As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
Requestedit
GET <kibana host>:<port>/api/alerts/_find
GET <kibana host>:<port>/s/<space_id>/api/alerts/_find
Path parametersedit
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Query Parametersedit
Alert params
are stored as a flattened field type and analyzed as keywords.
-
per_page
- (Optional, number) The number of alerts to return per page.
-
page
- (Optional, number) The page number.
-
search
- (Optional, string) An Elasticsearch simple_query_string query that filters the alerts in the response.
-
default_search_operator
-
(Optional, string) The operator to use for the
simple_query_string
. The default is OR. -
search_fields
-
(Optional, array|string) The fields to perform the
simple_query_string
parsed query against. -
fields
-
(Optional, array|string) The fields to return in the
attributes
key of the response. -
sort_field
-
(Optional, string) Sorts the response. Could be an alert fields returned in the
attributes
key of the response. -
sort_order
-
(Optional, string) Sort direction, either
asc
ordesc
. -
has_reference
- (Optional, object) Filters the alerts that have a relations with the reference objects with the specific "type" and "ID".
-
filter
-
(Optional, string) A KQL string that you filter with an attribute from your saved object.
It should look like savedObjectType.attributes.title: "myTitle". However, If you used a direct attribute of a saved object, such as
updatedAt
, you will have to define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
Response codeedit
-
200
- Indicates a successful call.
Examplesedit
Find alerts with names that start with my
:
$ curl -X GET api/alerts/_find?search_fields=name&search=my*
The API returns the following:
{ "page": 1, "perPage": 10, "total": 1, "data": [ { "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "test alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }, ] }
For parameters that accept multiple values (e.g. fields
), repeat the
query parameter for each value:
$ curl -X GET api/alerts/_find?fields=id&fields=name
Legacy get alert APIedit
Deprecated in 7.13.0.
Use Get rule instead.
Retrieve an alert by ID.
Requestedit
GET <kibana host>:<port>/api/alerts/alert/<id>
GET <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parametersedit
-
id
- (Required, string) The ID of the alert to retrieve.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Retrieve the alert object with the ID 41893910-6bca-11eb-9e0d-85d233e3ee35
:
$ curl -X GET api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
The API returns the following:
{ "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "test alert", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }
Legacy get Alerting framework health APIedit
Deprecated in 7.13.0.
Use Get alerting framework health instead.
Retrieve the health status of the Alerting framework.
Requestedit
GET <kibana host>:<port>/api/alerts/_health
GET <kibana host>:<port>/s/<space_id>/api/alerts/_health
Path parametersedit
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Retrieve the health status of the Alerting framework:
$ curl -X GET api/alerts/_health
The API returns the following:
{ "isSufficientlySecure":true, "hasPermanentEncryptionKey":true, "alertingFrameworkHealth":{ "decryptionHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" }, "executionHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" }, "readHealth":{ "status":"ok", "timestamp":"2021-02-10T23:35:04.949Z" } } }
The health API response contains the following properties:
|
Returns |
|
Return the state |
|
This state property has three substates that identify the health of the alerting framework API: |
alertingFrameworkHealth
consists of the following properties:
|
Returns the timestamp and status of the alert decryption: |
|
Returns the timestamp and status of the alert execution: |
|
Returns the timestamp and status of the alert reading events: |
Legacy list alert types APIedit
Deprecated in 7.13.0.
Use Get rule types instead.
Retrieve a list of all alert types.
Requestedit
GET <kibana host>:<port>/api/alerts/list_alert_types
GET <kibana host>:<port>/s/<space_id>/api/alerts/list_alert_types
Path parametersedit
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
$ curl -X GET api/alerts/list_alert_types
The API returns the following:
[ { "id":".index-threshold", "name":"Index threshold", "actionGroups":[ { "id":"threshold met", "name":"Threshold met" }, { "id":"recovered", "name":"Recovered" } ], "recoveryActionGroup":{ "id":"recovered", "name":"Recovered" }, "defaultActionGroupId":"threshold met", "actionVariables":{ "context":[ { "name":"message", "description":"A pre-constructed message for the alert." }, ], "state":[], "params":[ { "name":"threshold", "description":"An array of values to use as the threshold; 'between' and 'notBetween' require two values, the others require one." }, { "name":"index", "description":"index" }, ] }, "producer":"stackAlerts", "minimumLicenseRequired":"basic", "isExportable":true, "enabledInLicense":true, "authorizedConsumers":{ "alerts":{ "read":true, "all":true }, "stackAlerts":{ "read":true, "all":true }, "uptime":{ "read":true, "all":true } } } ]
Each alert type contains the following properties:
|
The descriptive name of the alert type. |
|
The unique ID of the alert type. |
|
The license required to use the alert type. |
|
Whether the rule type is exportable through the Saved Objects Management UI. |
|
Whether the alert type is enabled or disabled based on the license. |
|
An explicit list of groups for which the alert type can schedule actions, each with the action group’s unique ID and human readable name. Alert |
|
An action group to use when an alert instance goes from an active state, to an inactive one. Do not specify this action group under the |
|
The default ID for the alert type group. |
|
An explicit list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. Use |
|
The ID of the application producing this alert type. |
|
The list of the plugins IDs that have access to the alert type. |
Legacy mute alert instance APIedit
Deprecated in 7.13.0.
Use Mute alert instead.
Mute an alert instance.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute
Path parametersedit
-
id
- (Required, string) The ID of the alert whose instance you want to mute.
-
alert_instance_id
- (Required, string) The ID of the alert instance that you want to mute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Mute alert instance with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute
Legacy mute all alert instances APIedit
Deprecated in 7.13.0.
Use Mute all alerts instead.
Mute all alert instances.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/_mute_all
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_mute_all
Path parametersedit
-
id
- (Required, string) The ID of the alert whose instances you want to mute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Mute all alert instances with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all
Legacy unmute alert instance APIedit
Deprecated in 7.13.0.
Use Unmute alert instead.
Unmute an alert instance.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute
Path parametersedit
-
id
- (Required, string) The ID of the alert whose instance you want to mute..
-
alert_instance_id
- (Required, string) The ID of the alert instance that you want to unmute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Unmute alert instance with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute
Legacy unmute all alert instances APIedit
Deprecated in 7.13.0.
Use Unmute all alerts instead.
Unmute all alert instances.
Requestedit
POST <kibana host>:<port>/api/alerts/alert/<id>/_unmute_all
POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_unmute_all
Path parametersedit
-
id
- (Required, string) The ID of the alert whose instances you want to unmute.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Unmute all alert instances with ID:
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all
Legacy update alert APIedit
Deprecated in 7.13.0.
Use Update rule instead.
Update the attributes for an existing alert.
Requestedit
PUT <kibana host>:<port>/api/alerts/alert/<id>
PUT <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>
Path parametersedit
-
id
- (Required, string) The ID of the alert that you want to update.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request bodyedit
-
name
- (Required, string) A name to reference and search.
-
tags
- (Optional, string array) A list of keywords to reference and search.
-
schedule
-
(Required, object) When to run this alert. Use one of the available schedule formats.
Schedule Formats.
A schedule uses a key: value format. Kibana currently supports the Interval format , which specifies the interval in seconds, minutes, hours, or days at which to execute the alert.
Example:
{ interval: "10s" }
,{ interval: "5m" }
,{ interval: "1h" }
,{ interval: "1d" }
. -
throttle
-
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a
schedule
of 1 minute stays in a triggered state for 90 minutes, setting athrottle
of10m
or1h
will prevent it from sending 90 notifications during this period. -
notifyWhen
-
(Required, string) The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
params
-
(Required, object) The parameters to pass to the alert type executor
params
value. This will also validate against the alert type params validator, if defined. -
actions
-
(Optional, object array) An array of the following action objects.
Properties of the action objects:
-
group
-
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set the value to
default
. -
id
- (Required, string) The ID of the action that saved object executes.
-
actionTypeId
- (Required, string) The id of the action type.
-
params
-
(Required, object) The map to the
params
that the action type will receive.params
are handled as Mustache templates and passed a default set of context.
-
Response codeedit
-
200
- Indicates a successful call.
Exampleedit
Update an alert with ID ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
with a different name:
$ curl -X PUT api/alerts/alert/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 { "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "new name", "throttle": null, }
The API returns the following:
{ "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74", "notifyWhen": "onActionGroupChange", "params": { "aggType": "avg", }, "consumer": "alerts", "alertTypeId": "test.alert.type", "schedule": { "interval": "1m" }, "actions": [], "tags": [], "name": "new name", "enabled": true, "throttle": null, "apiKeyOwner": "elastic", "createdBy": "elastic", "updatedBy": "elastic", "muteAll": false, "mutedInstanceIds": [], "updatedAt": "2021-02-10T05:37:19.086Z", "createdAt": "2021-02-10T05:37:19.086Z", "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35", "executionStatus": { "lastExecutionDate": "2021-02-10T17:55:14.262Z", "status": "ok" } }