Deprecated 7.x APIsedit

These APIs are deprecated and will be removed in a future release.

Legacy create alert APIedit

Deprecated in 7.13.0.

Use Create rule instead.

Create Kibana alerts.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>

Path parametersedit

<id>
(Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Request bodyedit

name
(Required, string) A name to reference and search.
tags
(Optional, string array) A list of keywords to reference and search.
alertTypeId
(Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.
schedule

(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under

Schedule Formats.

A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.

We currently support the Interval format which specifies the interval in seconds, minutes, hours or days at which the alert should execute. Example: { interval: "10s" }, { interval: "5m" }, { interval: "1h" }, { interval: "1d" }.

There are plans to support multiple other schedule formats in the near future.

throttle
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.
notifyWhen
(Required, string) The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval.
enabled
(Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.
consumer
(Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
params
(Required, object) The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.
actions

(Optional, object array) An array of the following action objects.

Properties of the action objects:
group
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set this value to default.
id
(Required, string) The ID of the action saved object to execute.
actionTypeId
(Required, string) The ID of the action type.
params
(Required, object) The map to the params that the action type will receive. ` params` are handled as Mustache templates and passed a default set of context.

Response codeedit

200
Indicates a successful call.

Exampleedit

$ curl -X POST api/alerts/alert  -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
  "params":{
      "aggType":"avg",
      "termSize":6,
      "thresholdComparator":">",
      "timeWindowSize":5,
      "timeWindowUnit":"m",
      "groupBy":"top",
      "threshold":[
         1000
      ],
      "index":[
         ".test-index"
      ],
      "timeField":"@timestamp",
      "aggField":"sheet.version",
      "termField":"name.keyword"
   },
   "consumer":"alerts",
   "alertTypeId":".index-threshold",
   "schedule":{
      "interval":"1m"
   },
   "actions":[
      {
         "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
         "actionTypeId":".server-log",
         "group":"threshold met",
         "params":{
            "level":"info",
            "message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
         }
      }
   ],
   "tags":[
      "cpu"
   ],
   "notifyWhen":"onActionGroupChange",
   "name":"my alert"
}'

The API returns the following:

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "avg",
    "termSize": 6,
    "thresholdComparator": ">",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "groupBy": "top",
    "threshold": [
      1000
    ],
    "index": [
      ".kibana"
    ],
    "timeField": "@timestamp",
    "aggField": "sheet.version",
    "termField": "name.keyword"
  },
  "consumer": "alerts",
  "alertTypeId": ".index-threshold",
  "schedule": {
    "interval": "1m"
  },
  "actions": [
    {
      "actionTypeId": ".server-log",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2"
    }
  ],
  "tags": [
    "cpu"
  ],
  "name": "my alert",
  "enabled": true,
  "throttle": null,
  "apiKeyOwner": "elastic",
  "createdBy": "elastic",
  "updatedBy": "elastic",
  "muteAll": false,
  "mutedInstanceIds": [],
  "updatedAt": "2021-02-10T18:03:19.961Z",
  "createdAt": "2021-02-10T18:03:19.961Z",
  "scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "executionStatus": {
    "lastExecutionDate": "2021-02-10T18:03:19.966Z",
    "status": "pending"
  }
}

Legacy delete alert APIedit

Deprecated in 7.13.0.

Use Delete rule instead.

Permanently remove an alert.

Once you delete an alert, you cannot recover it.

Requestedit

DELETE <kibana host>:<port>/api/alerts/alert/<id>

DELETE <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>

Path parametersedit

id
(Required, string) The ID of the alert that you want to remove.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Delete an alert with ID:

$ curl -X DELETE api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35

Legacy disable alert APIedit

Deprecated in 7.13.0.

Use Disable rule instead.

Disable an alert.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/_disable

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_disable

Path parametersedit

id
(Required, string) The ID of the alert that you want to disable.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Disable an alert with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable

Legacy enable alert APIedit

Deprecated in 7.13.0.

Use Enable rule instead.

Enable an alert.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/_enable

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_enable

Path parametersedit

id
(Required, string) The ID of the alert that you want to enable.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Enable an alert with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable

Legacy find alerts APIedit

Deprecated in 7.13.0.

Use Find rules instead.

Retrieve a paginated set of alerts based on condition.

As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.

Requestedit

GET <kibana host>:<port>/api/alerts/_find

GET <kibana host>:<port>/s/<space_id>/api/alerts/_find

Path parametersedit

space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Query Parametersedit

Alert params are stored as a flattened field type and analyzed as keywords.

per_page
(Optional, number) The number of alerts to return per page.
page
(Optional, number) The page number.
search
(Optional, string) An Elasticsearch simple_query_string query that filters the alerts in the response.
default_search_operator
(Optional, string) The operator to use for the simple_query_string. The default is OR.
search_fields
(Optional, array|string) The fields to perform the simple_query_string parsed query against.
fields
(Optional, array|string) The fields to return in the attributes key of the response.
sort_field
(Optional, string) Sorts the response. Could be an alert fields returned in the attributes key of the response.
sort_order
(Optional, string) Sort direction, either asc or desc.
has_reference
(Optional, object) Filters the alerts that have a relations with the reference objects with the specific "type" and "ID".
filter
(Optional, string) A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, If you used a direct attribute of a saved object, such as updatedAt, you will have to define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

Response codeedit

200
Indicates a successful call.

Examplesedit

Find alerts with names that start with my:

$ curl -X GET api/alerts/_find?search_fields=name&search=my*

The API returns the following:

{
  "page": 1,
  "perPage": 10,
  "total": 1,
  "data": [
    {
      "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35",
      "notifyWhen": "onActionGroupChange",
      "params": {
        "aggType": "avg",
      },
      "consumer": "alerts",
      "alertTypeId": "test.alert.type",
      "schedule": {
        "interval": "1m"
      },
      "actions": [],
      "tags": [],
      "name": "test alert",
      "enabled": true,
      "throttle": null,
      "apiKeyOwner": "elastic",
      "createdBy": "elastic",
      "updatedBy": "elastic",
      "muteAll": false,
      "mutedInstanceIds": [],
      "updatedAt": "2021-02-10T05:37:19.086Z",
      "createdAt": "2021-02-10T05:37:19.086Z",
      "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
      "executionStatus": {
        "lastExecutionDate": "2021-02-10T17:55:14.262Z",
        "status": "ok"
      }
    },
  ]
}

For parameters that accept multiple values (e.g. fields), repeat the query parameter for each value:

$ curl -X GET api/alerts/_find?fields=id&fields=name

Legacy get alert APIedit

Deprecated in 7.13.0.

Use Get rule instead.

Retrieve an alert by ID.

Requestedit

GET <kibana host>:<port>/api/alerts/alert/<id>

GET <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>

Path parametersedit

id
(Required, string) The ID of the alert to retrieve.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Retrieve the alert object with the ID 41893910-6bca-11eb-9e0d-85d233e3ee35:

$ curl -X GET api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35

The API returns the following:

{
  "id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35",
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "avg",
  },
  "consumer": "alerts",
  "alertTypeId": "test.alert.type",
  "schedule": {
    "interval": "1m"
  },
  "actions": [],
  "tags": [],
  "name": "test alert",
  "enabled": true,
  "throttle": null,
  "apiKeyOwner": "elastic",
  "createdBy": "elastic",
  "updatedBy": "elastic",
  "muteAll": false,
  "mutedInstanceIds": [],
  "updatedAt": "2021-02-10T05:37:19.086Z",
  "createdAt": "2021-02-10T05:37:19.086Z",
  "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
  "executionStatus": {
    "lastExecutionDate": "2021-02-10T17:55:14.262Z",
    "status": "ok"
  }
}

Legacy get Alerting framework health APIedit

Deprecated in 7.13.0.

Use Get alerting framework health instead.

Retrieve the health status of the Alerting framework.

Requestedit

GET <kibana host>:<port>/api/alerts/_health

GET <kibana host>:<port>/s/<space_id>/api/alerts/_health

Path parametersedit

space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Retrieve the health status of the Alerting framework:

$ curl -X GET api/alerts/_health

The API returns the following:

{
   "isSufficientlySecure":true,
   "hasPermanentEncryptionKey":true,
   "alertingFrameworkHealth":{
      "decryptionHealth":{
         "status":"ok",
         "timestamp":"2021-02-10T23:35:04.949Z"
      },
      "executionHealth":{
         "status":"ok",
         "timestamp":"2021-02-10T23:35:04.949Z"
      },
      "readHealth":{
         "status":"ok",
         "timestamp":"2021-02-10T23:35:04.949Z"
      }
   }
}

The health API response contains the following properties:

isSufficientlySecure

Returns false if security is enabled, but TLS is not.

hasPermanentEncryptionKey

Return the state false if Encrypted Saved Object plugin has not a permanent encryption Key.

alertingFrameworkHealth

This state property has three substates that identify the health of the alerting framework API: decryptionHealth, executionHealth, and readHealth.

alertingFrameworkHealth consists of the following properties:

decryptionHealth

Returns the timestamp and status of the alert decryption: ok, warn or error .

executionHealth

Returns the timestamp and status of the alert execution: ok, warn or error.

readHealth

Returns the timestamp and status of the alert reading events: ok, warn or error.

Legacy list alert types APIedit

Deprecated in 7.13.0.

Use Get rule types instead.

Retrieve a list of all alert types.

Requestedit

GET <kibana host>:<port>/api/alerts/list_alert_types

GET <kibana host>:<port>/s/<space_id>/api/alerts/list_alert_types

Path parametersedit

space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

$ curl -X GET api/alerts/list_alert_types

The API returns the following:

[
   {
      "id":".index-threshold",
      "name":"Index threshold",
      "actionGroups":[
         {
            "id":"threshold met",
            "name":"Threshold met"
         },
         {
            "id":"recovered",
            "name":"Recovered"
         }
      ],
      "recoveryActionGroup":{
         "id":"recovered",
         "name":"Recovered"
      },
      "defaultActionGroupId":"threshold met",
      "actionVariables":{
         "context":[
            {
               "name":"message",
               "description":"A pre-constructed message for the alert."
            },
         ],
         "state":[],
         "params":[
            {
               "name":"threshold",
               "description":"An array of values to use as the threshold; 'between' and 'notBetween' require two values, the others require one."
            },
            {
               "name":"index",
               "description":"index"
            },
         ]
      },
      "producer":"stackAlerts",
      "minimumLicenseRequired":"basic",
      "isExportable":true,
      "enabledInLicense":true,
      "authorizedConsumers":{
         "alerts":{
            "read":true,
            "all":true
         },
         "stackAlerts":{
            "read":true,
            "all":true
         },
         "uptime":{
            "read":true,
            "all":true
         }
      }
   }
]

Each alert type contains the following properties:

name

The descriptive name of the alert type.

id

The unique ID of the alert type.

minimumLicenseRequired

The license required to use the alert type.

isExportable

Whether the rule type is exportable through the Saved Objects Management UI.

enabledInLicense

Whether the alert type is enabled or disabled based on the license.

actionGroups

An explicit list of groups for which the alert type can schedule actions, each with the action group’s unique ID and human readable name. Alert actions validation will use this configuration to ensure that groups are valid. Use kbn-i18n to translate the names of the action group when registering the alert type.

recoveryActionGroup

An action group to use when an alert instance goes from an active state, to an inactive one. Do not specify this action group under the actionGroups property. If recoveryActionGroup is not specified, the default recovered action group is used.

defaultActionGroupId

The default ID for the alert type group.

actionVariables

An explicit list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. Use kbn-i18n to translate the descriptions.

producer

The ID of the application producing this alert type.

authorizedConsumers

The list of the plugins IDs that have access to the alert type.

Legacy mute alert instance APIedit

Deprecated in 7.13.0.

Use Mute alert instead.

Mute an alert instance.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute

Path parametersedit

id
(Required, string) The ID of the alert whose instance you want to mute.
alert_instance_id
(Required, string) The ID of the alert instance that you want to mute.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Mute alert instance with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute

Legacy mute all alert instances APIedit

Deprecated in 7.13.0.

Use Mute all alerts instead.

Mute all alert instances.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/_mute_all

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_mute_all

Path parametersedit

id
(Required, string) The ID of the alert whose instances you want to mute.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Mute all alert instances with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all

Legacy unmute alert instance APIedit

Deprecated in 7.13.0.

Use Unmute alert instead.

Unmute an alert instance.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute

Path parametersedit

id
(Required, string) The ID of the alert whose instance you want to mute..
alert_instance_id
(Required, string) The ID of the alert instance that you want to unmute.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Unmute alert instance with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute

Legacy unmute all alert instances APIedit

Deprecated in 7.13.0.

Use Unmute all alerts instead.

Unmute all alert instances.

Requestedit

POST <kibana host>:<port>/api/alerts/alert/<id>/_unmute_all

POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_unmute_all

Path parametersedit

id
(Required, string) The ID of the alert whose instances you want to unmute.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response codeedit

200
Indicates a successful call.

Exampleedit

Unmute all alert instances with ID:

$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all

Legacy update alert APIedit

Deprecated in 7.13.0.

Use Update rule instead.

Update the attributes for an existing alert.

Requestedit

PUT <kibana host>:<port>/api/alerts/alert/<id>

PUT <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>

Path parametersedit

id
(Required, string) The ID of the alert that you want to update.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Request bodyedit

name
(Required, string) A name to reference and search.
tags
(Optional, string array) A list of keywords to reference and search.
schedule

(Required, object) When to run this alert. Use one of the available schedule formats.

Schedule Formats.

A schedule uses a key: value format. Kibana currently supports the Interval format , which specifies the interval in seconds, minutes, hours, or days at which to execute the alert.

Example: { interval: "10s" }, { interval: "5m" }, { interval: "1h" }, { interval: "1d" }.

throttle
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.
notifyWhen
(Required, string) The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval.
params
(Required, object) The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.
actions

(Optional, object array) An array of the following action objects.

Properties of the action objects:
group
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don’t need this, set the value to default.
id
(Required, string) The ID of the action that saved object executes.
actionTypeId
(Required, string) The id of the action type.
params
(Required, object) The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.

Response codeedit

200
Indicates a successful call.

Exampleedit

Update an alert with ID ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 with a different name:

$ curl -X PUT api/alerts/alert/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74

{
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "avg",
  },
  "schedule": {
    "interval": "1m"
  },
  "actions": [],
  "tags": [],
  "name": "new name",
  "throttle": null,
}

The API returns the following:

{
  "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
  "notifyWhen": "onActionGroupChange",
  "params": {
    "aggType": "avg",
  },
  "consumer": "alerts",
  "alertTypeId": "test.alert.type",
  "schedule": {
    "interval": "1m"
  },
  "actions": [],
  "tags": [],
  "name": "new name",
  "enabled": true,
  "throttle": null,
  "apiKeyOwner": "elastic",
  "createdBy": "elastic",
  "updatedBy": "elastic",
  "muteAll": false,
  "mutedInstanceIds": [],
  "updatedAt": "2021-02-10T05:37:19.086Z",
  "createdAt": "2021-02-10T05:37:19.086Z",
  "scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
  "executionStatus": {
    "lastExecutionDate": "2021-02-10T17:55:14.262Z",
    "status": "ok"
  }
}