Alert and rule APIsedit
This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Access
- APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- HTTP Basic Authentication
Methods
[ Jump to Models ]Table of Contents
Alerting
post /s/{spaceId}/api/alerting/rulepost /s/{spaceId}/api/alerting/rule/{ruleId}delete /s/{spaceId}/api/alerting/rule/{ruleId}post /s/{spaceId}/api/alerting/rule/{ruleId}/_disablepost /s/{spaceId}/api/alerting/rule/{ruleId}/_enableget /s/{spaceId}/api/alerting/rules/_findget /s/{spaceId}/api/alerting/_healthget /s/{spaceId}/api/alerting/rule/{ruleId}get /s/{spaceId}/api/alerting/rule_typespost /s/{spaceId}/api/alerts/alert/{alertId}post /s/{spaceId}/api/alerts/alert/{alertId}/_disablepost /s/{spaceId}/api/alerts/alert/{alertId}/_enableget /s/{spaceId}/api/alerts/alerts/_findget /s/{spaceId}/api/alerts/alert/{alertId}get /s/{spaceId}/api/alerts/alerts/list_alert_typesget /s/{spaceId}/api/alerts/alerts/_healthpost /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mutepost /s/{spaceId}/api/alerts/alert/{alertId}/_mute_allpost /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmutepost /s/{spaceId}/api/alerts/alert/{alertId}/_unmute_allput /s/{spaceId}/api/alerts/alert/{alertId}delete /s/{spaceId}/api/alerts/alert/{alertId}post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_mutepost /s/{spaceId}/api/alerting/rule/{ruleId}/_mute_allpost /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_unmutepost /s/{spaceId}/api/alerting/rule/{ruleId}/_unmute_allput /s/{spaceId}/api/alerting/rule/{ruleId}post /s/{spaceId}/api/alerting/rule/{ruleId}/_update_api_key
Alerting
Up
post /s/{spaceId}/api/alerting/ruleCreates a rule with a randomly generated rule identifier. (createRule)
To create a rule, you must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Consumes
This API call consumes the following media types via the Content-Type request header:application/json
Request body
create_rule_request create_rule_request (required)
Body Parameter —
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Return type
Example data
Content-Type: application/json
{
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. rule_response_properties401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}Creates a rule with a specific rule identifier. (createRuleId)
To create a rule, you must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null ruleId (required)
Path Parameter — An UUID v1 or v4 identifier for the rule. If you omit this parameter, an identifier is randomly generated. default: null
Consumes
This API call consumes the following media types via the Content-Type request header:application/json
Request body
create_rule_request create_rule_request (required)
Body Parameter —
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Return type
Example data
Content-Type: application/json
{
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. rule_response_properties401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
delete /s/{spaceId}/api/alerting/rule/{ruleId}Deletes a rule. (deleteRule)
To delete a rule, you must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're deleting. For example, the Management > Stack Rules feature, Analytics > Discover or Machine Learning features, Observability, or Security features. WARNING: After you delete a rule, you cannot recover it. If the API key that is used by the rule was created automatically, it is deleted.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/_disableDisables a rule. (disableRule)
You must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/_enableEnables a rule. (enableRule)
To enable a rule, you must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response404
Object is not found. 401_response
Up
get /s/{spaceId}/api/alerting/rules/_findRetrieves information about rules. (findRules)
You must have
read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To find rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Query parameters
default_search_operator (optional)
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
Query Parameter — The fields to return in the
attributes key of the response. default: null filter (optional)
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like
savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null has_reference (optional)
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
Query Parameter — The page number to return. default: 1
per_page (optional)
Query Parameter — The number of rules to return per page. default: 20
search (optional)
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
search_fields (optional)
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
sort_field (optional)
Query Parameter — Determines which field is used to sort the results. The field must exist in the
attributes key of the response. default: null sort_order (optional)
Query Parameter — Determines the sort order. default: desc
Return type
Example data
Content-Type: application/json
{
"per_page" : 6,
"total" : 1,
"data" : [ {
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
}, {
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
} ],
"page" : 0
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. findRules_200_response401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerting/_healthRetrieves the health status of the alerting framework. (getAlertingHealth)
You must have
read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Return type
Example data
Content-Type: application/json
{
"alerting_framework_health" : {
"execution_health" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
},
"read_health" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
},
"decryption_health" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
}
},
"has_permanent_encryption_key" : true,
"is_sufficiently_secure" : true
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. getAlertingHealth_200_response401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerting/rule/{ruleId}Retrieves a rule by its identifier. (getRule)
You must have
read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To get rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Return type
Example data
Content-Type: application/json
{
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. rule_response_properties401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
get /s/{spaceId}/api/alerting/rule_typesRetrieves a list of rule types. (getRuleTypes)
If you have
read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Return type
Example data
Content-Type: application/json
{
"recovery_action_group" : {
"name" : "name",
"id" : "id"
},
"does_set_recovery_context" : true,
"is_exportable" : true,
"authorized_consumers" : {
"alerts" : {
"all" : true,
"read" : true
},
"discover" : {
"all" : true,
"read" : true
},
"stackAlerts" : {
"all" : true,
"read" : true
},
"infrastructure" : {
"all" : true,
"read" : true
},
"siem" : {
"all" : true,
"read" : true
},
"monitoring" : {
"all" : true,
"read" : true
},
"logs" : {
"all" : true,
"read" : true
},
"apm" : {
"all" : true,
"read" : true
},
"ml" : {
"all" : true,
"read" : true
},
"uptime" : {
"all" : true,
"read" : true
}
},
"action_groups" : [ {
"name" : "name",
"id" : "id"
}, {
"name" : "name",
"id" : "id"
} ],
"minimum_license_required" : "basic",
"action_variables" : {
"context" : [ {
"name" : "name",
"description" : "description",
"useWithTripleBracesInTemplates" : true
}, {
"name" : "name",
"description" : "description",
"useWithTripleBracesInTemplates" : true
} ],
"state" : [ {
"name" : "name",
"description" : "description"
}, {
"name" : "name",
"description" : "description"
} ],
"params" : [ {
"name" : "name",
"description" : "description"
}, {
"name" : "name",
"description" : "description"
} ]
},
"rule_task_timeout" : "5m",
"name" : "name",
"enabled_in_license" : true,
"producer" : "stackAlerts",
"id" : "id",
"default_action_group_id" : "default_action_group_id"
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}Create an alert. (legacyCreateAlert)
Deprecated in 7.13.0. Use the create rule API instead.
Path parameters
alertId (required)
Path Parameter — An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Consumes
This API call consumes the following media types via the Content-Type request header:application/json
Request body
Legacy_create_alert_request_properties Legacy_create_alert_request_properties (required)
Body Parameter —
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Return type
Example data
Content-Type: application/json
{
"alertTypeId" : ".index-threshold",
"throttle" : "throttle",
"updatedBy" : "elastic",
"executionStatus" : {
"lastExecutionDate" : "2022-12-06T00:13:43.89Z",
"status" : "ok"
},
"params" : {
"key" : ""
},
"enabled" : true,
"mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
"tags" : [ "tags", "tags" ],
"createdAt" : "2022-12-05T23:36:58.284Z",
"schedule" : {
"interval" : "interval"
},
"notifyWhen" : "onActionGroupChange",
"createdBy" : "elastic",
"muteAll" : false,
"name" : "my alert",
"scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"actions" : [ "{}", "{}" ],
"apiKeyOwner" : "elastic",
"updatedAt" : "2022-12-05T23:36:58.284Z"
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. alert_response_properties401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/_disableDisables an alert. (legacyDisableAlert)
Deprecated in 7.13.0. Use the disable rule API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/_enableEnables an alert. (legacyEnableAlert)
Deprecated in 7.13.0. Use the enable rule API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerts/alerts/_findRetrieves a paginated set of alerts. (legacyFindAlerts)
Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert
params are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Query parameters
default_search_operator (optional)
Query Parameter — The default operator to use for the
simple_query_string. default: OR fields (optional)
Query Parameter — The fields to return in the
attributes key of the response. default: null filter (optional)
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like
savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null has_reference (optional)
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
Query Parameter — The page number to return. default: 1
per_page (optional)
Query Parameter — The number of alerts to return per page. default: 20
search (optional)
Query Parameter — An Elasticsearch
simple_query_string query that filters the alerts in the response. default: null search_fields (optional)
Query Parameter — The fields to perform the
simple_query_string parsed query against. default: null sort_field (optional)
Query Parameter — Determines which field is used to sort the results. The field must exist in the
attributes key of the response. default: null sort_order (optional)
Query Parameter — Determines the sort order. default: desc
Return type
Example data
Content-Type: application/json
{
"total" : 1,
"perPage" : 6,
"data" : [ {
"alertTypeId" : ".index-threshold",
"throttle" : "throttle",
"updatedBy" : "elastic",
"executionStatus" : {
"lastExecutionDate" : "2022-12-06T00:13:43.89Z",
"status" : "ok"
},
"params" : {
"key" : ""
},
"enabled" : true,
"mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
"tags" : [ "tags", "tags" ],
"createdAt" : "2022-12-05T23:36:58.284Z",
"schedule" : {
"interval" : "interval"
},
"notifyWhen" : "onActionGroupChange",
"createdBy" : "elastic",
"muteAll" : false,
"name" : "my alert",
"scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"actions" : [ "{}", "{}" ],
"apiKeyOwner" : "elastic",
"updatedAt" : "2022-12-05T23:36:58.284Z"
}, {
"alertTypeId" : ".index-threshold",
"throttle" : "throttle",
"updatedBy" : "elastic",
"executionStatus" : {
"lastExecutionDate" : "2022-12-06T00:13:43.89Z",
"status" : "ok"
},
"params" : {
"key" : ""
},
"enabled" : true,
"mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
"tags" : [ "tags", "tags" ],
"createdAt" : "2022-12-05T23:36:58.284Z",
"schedule" : {
"interval" : "interval"
},
"notifyWhen" : "onActionGroupChange",
"createdBy" : "elastic",
"muteAll" : false,
"name" : "my alert",
"scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"actions" : [ "{}", "{}" ],
"apiKeyOwner" : "elastic",
"updatedAt" : "2022-12-05T23:36:58.284Z"
} ],
"page" : 0
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. legacyFindAlerts_200_response401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerts/alert/{alertId}Retrieves an alert by its identifier. (legacyGetAlert)
Deprecated in 7.13.0. Use the get rule API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Return type
Example data
Content-Type: application/json
{
"alertTypeId" : ".index-threshold",
"throttle" : "throttle",
"updatedBy" : "elastic",
"executionStatus" : {
"lastExecutionDate" : "2022-12-06T00:13:43.89Z",
"status" : "ok"
},
"params" : {
"key" : ""
},
"enabled" : true,
"mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
"tags" : [ "tags", "tags" ],
"createdAt" : "2022-12-05T23:36:58.284Z",
"schedule" : {
"interval" : "interval"
},
"notifyWhen" : "onActionGroupChange",
"createdBy" : "elastic",
"muteAll" : false,
"name" : "my alert",
"scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"actions" : [ "{}", "{}" ],
"apiKeyOwner" : "elastic",
"updatedAt" : "2022-12-05T23:36:58.284Z"
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. alert_response_properties401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerts/alerts/list_alert_typesRetrieves a list of alert types. (legacyGetAlertTypes)
Deprecated in 7.13.0. Use the get rule types API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Return type
Example data
Content-Type: application/json
{
"defaultActionGroupId" : "defaultActionGroupId",
"isExportable" : true,
"actionVariables" : {
"context" : [ {
"name" : "name",
"description" : "description"
}, {
"name" : "name",
"description" : "description"
} ],
"state" : [ {
"name" : "name",
"description" : "description"
}, {
"name" : "name",
"description" : "description"
} ],
"params" : [ {
"name" : "name",
"description" : "description"
}, {
"name" : "name",
"description" : "description"
} ]
},
"actionGroups" : [ {
"name" : "name",
"id" : "id"
}, {
"name" : "name",
"id" : "id"
} ],
"name" : "name",
"producer" : "producer",
"authorizedConsumers" : "{}",
"recoveryActionGroup" : {
"name" : "name",
"id" : "id"
},
"enabledInLicense" : true,
"id" : "id",
"minimumLicenseRequired" : "minimumLicenseRequired"
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
get /s/{spaceId}/api/alerts/alerts/_healthRetrieves the health status of the alerting framework. (legacyGetAlertingHealth)
Deprecated in 7.13.0. Use the get alerting framework health API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Return type
Example data
Content-Type: application/json
{
"hasPermanentEncryptionKey" : true,
"alertingFrameworkHealth" : {
"executionHealth" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
},
"decryptionHealth" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
},
"readHealth" : {
"status" : "ok",
"timestamp" : "2023-01-13T01:28:00.28Z"
}
},
"isSufficientlySecure" : true
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. legacyGetAlertingHealth_200_response401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_muteMutes an alert instance. (legacyMuteAlertInstance)
Deprecated in 7.13.0. Use the mute alert API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
Path Parameter — An identifier for the alert instance. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/_mute_allMutes all alert instances. (legacyMuteAllAlertInstances)
Deprecated in 7.13.0. Use the mute all alerts API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmuteUnmutes an alert instance. (legacyUnmuteAlertInstance)
Deprecated in 7.13.0. Use the unmute alert API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
Path Parameter — An identifier for the alert instance. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerts/alert/{alertId}/_unmute_allUnmutes all alert instances. (legacyUnmuteAllAlertInstances)
Deprecated in 7.13.0. Use the unmute all alerts API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
put /s/{spaceId}/api/alerts/alert/{alertId}Updates the attributes for an alert. (legacyUpdateAlert)
Deprecated in 7.13.0. Use the update rule API instead.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Consumes
This API call consumes the following media types via the Content-Type request header:application/json
Request body
Legacy_update_alert_request_properties Legacy_update_alert_request_properties (required)
Body Parameter —
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Return type
Example data
Content-Type: application/json
{
"alertTypeId" : ".index-threshold",
"throttle" : "throttle",
"updatedBy" : "elastic",
"executionStatus" : {
"lastExecutionDate" : "2022-12-06T00:13:43.89Z",
"status" : "ok"
},
"params" : {
"key" : ""
},
"enabled" : true,
"mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
"tags" : [ "tags", "tags" ],
"createdAt" : "2022-12-05T23:36:58.284Z",
"schedule" : {
"interval" : "interval"
},
"notifyWhen" : "onActionGroupChange",
"createdBy" : "elastic",
"muteAll" : false,
"name" : "my alert",
"scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"actions" : [ "{}", "{}" ],
"apiKeyOwner" : "elastic",
"updatedAt" : "2022-12-05T23:36:58.284Z"
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. alert_response_properties401
Authorization information is missing or invalid. 401_response
Up
delete /s/{spaceId}/api/alerts/alert/{alertId}Permanently removes an alert. (legaryDeleteAlert)
Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it.
Path parameters
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null alertId (required)
Path Parameter — The identifier for the alert. default: null
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_muteMutes an alert. (muteAlert)
You must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.Path parameters
alertId (required)
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/_mute_allMutes all alerts. (muteAllAlerts)
This API snoozes the notifications for the rule indefinitely. The rule checks continue to occur but alerts will not trigger any actions. You must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_unmuteUnmutes an alert. (unmuteAlert)
You must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.Path parameters
alertId (required)
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/_unmute_allUnmutes all alerts. (unmuteAllAlerts)
If the rule has its notifications snoozed indefinitely, this API cancels the snooze. You must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
204
Indicates a successful call.401
Authorization information is missing or invalid. 401_response
Up
put /s/{spaceId}/api/alerting/rule/{ruleId}Updates the attributes for a rule. (updateRule)
To update a rule, you must have
all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're updating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs. NOTE: If the API key has different privileges than the key that created or most recently updated the rule, the rule behavior might change. Though some properties are optional, when you update the rule the existing property values are overwritten with default values. Therefore, it is recommended to explicitly set all property values.Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Consumes
This API call consumes the following media types via the Content-Type request header:application/json
Request body
update_rule_request update_rule_request (required)
Body Parameter —
Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Return type
Example data
Content-Type: application/json
{
"throttle" : "10m",
"created_at" : "2022-12-05T23:36:58.284Z",
"api_key_created_by_user" : false,
"enabled" : true,
"running" : true,
"notify_when" : "notify_when",
"next_run" : "2022-12-06T00:14:43.818Z",
"updated_at" : "2022-12-05T23:36:58.284Z",
"execution_status" : {
"last_execution_date" : "2022-12-06T00:13:43.89Z",
"last_duration" : 55,
"status" : "ok"
},
"scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"id" : "b530fed0-74f5-11ed-9801-35303b735aef",
"consumer" : "alerts",
"last_run" : {
"alerts_count" : {
"ignored" : 6,
"new" : 1,
"recovered" : 5,
"active" : 0
},
"outcome_msg" : [ "outcome_msg", "outcome_msg" ],
"outcome_order" : 5,
"warning" : "warning",
"outcome" : "succeeded"
},
"params" : {
"key" : ""
},
"created_by" : "elastic",
"muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
"rule_type_id" : "monitoring_alert_cluster_health",
"revision" : 2,
"tags" : [ "tags", "tags" ],
"api_key_owner" : "elastic",
"schedule" : {
"interval" : "1m"
},
"name" : "cluster_health_rule",
"updated_by" : "elastic",
"mute_all" : false,
"actions" : [ {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
}, {
"alerts_filter" : {
"timeframe" : {
"hours" : {
"start" : "08:00",
"end" : "17:00"
},
"timezone" : "Europe/Madrid",
"days" : [ 1, 2, 3, 4, 5 ]
},
"query" : {
"kql" : "kql",
"filters" : [ {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
}, {
"$state" : "{}",
"meta" : {
"field" : "field",
"controlledBy" : "controlledBy",
"negate" : true,
"alias" : "alias",
"index" : "index",
"disabled" : true,
"params" : "{}",
"type" : "type",
"value" : "value",
"isMultiIndex" : true,
"key" : "key",
"group" : "group"
},
"query" : "{}"
} ]
}
},
"id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
"params" : {
"key" : ""
},
"uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"connector_type_id" : ".server-log",
"frequency" : {
"summary" : true,
"throttle" : "10m",
"notify_when" : "onActiveAlert"
},
"group" : "default"
} ]
}Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call. rule_response_properties401
Authorization information is missing or invalid. 401_response404
Object is not found. 404_response
Up
post /s/{spaceId}/api/alerting/rule/{ruleId}/_update_api_keyUpdates the API key for a rule. (updateRuleAPIKey)
The new API key has the credentials of the user that submits the request.
Path parameters
ruleId (required)
Path Parameter — An identifier for the rule. default: null
spaceId (required)
Path Parameter — An identifier for the space. If
/s/ and the identifier are omitted from the path, the default space is used. default: null Request headers
kbn-xsrf (required)
Header Parameter — Cross-site request forgery protection default: null
Produces
This API call produces the following media types according to the Accept request header; the media type will be conveyed by the Content-Type response header.application/json
Responses
200
Indicates a successful call.400
Bad request 400_responseModels
[ Jump to Methods ]Table of Contents
400_response- Bad request401_response- Unsuccessful rule API response404_response-Count- CountCount_count-Count_criteria-Count_logView-Legacy_create_alert_request_properties- Legacy create alert request propertiesLegacy_create_alert_request_properties_schedule-Legacy_update_alert_request_properties- Legacy update alert request propertiesLegacy_update_alert_request_properties_actions_inner-Legacy_update_alert_request_properties_schedule-Ratio- Ratioactions_inner-actions_inner_alerts_filter-actions_inner_alerts_filter_query-actions_inner_alerts_filter_timeframe-actions_inner_alerts_filter_timeframe_hours-actions_inner_frequency-aggtype-alert_response_properties- Legacy alert response propertiesalert_response_properties_executionStatus-alert_response_properties_schedule-count_criterion- count criterioncreate_anomaly_detection_alert_rule_request- Create anomaly detection rule requestcreate_anomaly_detection_jobs_health_rule_request- Create anomaly detection jobs health rule requestcreate_apm_anomaly_rule_request- Create APM anomaly rule rule requestcreate_apm_error_count_rule_request- Create APM error count rule requestcreate_apm_transaction_duration_rule_request- Create latency threshold rule requestcreate_apm_transaction_error_rate_rule_request- Create APM transaction error rate rule requestcreate_es_query_rule_request- Create Elasticsearch query rule requestcreate_geo_containment_rule_request- Create traacking containment rule requestcreate_index_threshold_rule_request- Create index threshold rule requestcreate_infra_inventory_rule_request- Create infra inventory rule requestcreate_infra_metric_anomaly_rule_request- Create infrastructure anomaly rule requestcreate_infra_metric_threshold_rule_request- Create infra metric threshold rule requestcreate_log_threshold_rule_request- Create log threshold rule requestcreate_monitoring_ccr_exceptions_rule_request- Create CCR read exceptions rule requestcreate_monitoring_cluster_health_rule_request- Create cluster health rule requestcreate_monitoring_cpu_usage_rule_request- Create CPU usage rule requestcreate_monitoring_disk_usage_rule_request- Create disk usage rule requestcreate_monitoring_elasticsearch_version_mismatch_rule_request- Create Elasticsearch version mismatch rule requestcreate_monitoring_jvm_memory_usage_rule_request- Create JVM memory usage rule requestcreate_monitoring_kibana_version_mismatch_rule_request- Create Kibana version mismatch rule requestcreate_monitoring_license_expiration_rule_request- Create license expiration rule requestcreate_monitoring_logstash_version_mismatch_rule_request- Create Logstash version mismatch rule requestcreate_monitoring_missing_data_rule_request- Create missing monitoring data rule requestcreate_monitoring_nodes_changed_rule_request- Create nodes changed rule requestcreate_monitoring_shard_size_rule_request- Create shard size rule requestcreate_monitoring_thread_pool_search_rejections_rule_request- Create thread pool search rejections rule requestcreate_monitoring_thread_pool_write_rejections_rule_request- Create thread pool write rejections rule requestcreate_rule_request- Create rule request body propertiescreate_siem_eql_rule_request- Create event correlation rule requestcreate_siem_indicator_rule_request- Create indicator match rule requestcreate_siem_ml_rule_request- Create machine learning rule requestcreate_siem_new_terms_rule_request- Create new terms rule requestcreate_siem_notifications_rule_request- Create security solution notification (legacy) rule requestcreate_siem_query_rule_request- Create custom query rule requestcreate_siem_saved_query_rule_request- Create saved query rule requestcreate_siem_threshold_rule_request- Create threshold rule requestcreate_slo_burn_rate_rule_request- Create slo burn rate rule requestcreate_synthetics_monitor_status_rule_request- Create synthetics monitor status rule requestcreate_synthetics_uptime_duration_anomaly_rule_request- Create synthetics uptime duration anomaly rule requestcreate_synthetics_uptime_tls_certificate_rule_request- Create TLS certificate rule requestcreate_synthetics_uptime_tls_rule_request- Create synthetics uptime TLS rule requestcreate_transform_health_rule_request- Create transform health rule requestcreate_uptime_monitor_status_rule_request- Create uptime monitor status rule requestcustom_criterion- custom criterioncustom_criterion_customMetric_inner-custom_criterion_customMetric_inner_oneOf-custom_criterion_customMetric_inner_oneOf_1-filter-filter_meta-findRules_200_response-findRules_has_reference_parameter-findRules_search_fields_parameter-getAlertingHealth_200_response-getAlertingHealth_200_response_alerting_framework_health-getAlertingHealth_200_response_alerting_framework_health_decryption_health-getAlertingHealth_200_response_alerting_framework_health_execution_health-getAlertingHealth_200_response_alerting_framework_health_read_health-getRuleTypes_200_response_inner-getRuleTypes_200_response_inner_action_groups_inner-getRuleTypes_200_response_inner_action_variables-getRuleTypes_200_response_inner_action_variables_context_inner-getRuleTypes_200_response_inner_action_variables_params_inner-getRuleTypes_200_response_inner_authorized_consumers-getRuleTypes_200_response_inner_authorized_consumers_alerts-getRuleTypes_200_response_inner_recovery_action_group-groupby-legacyFindAlerts_200_response-legacyGetAlertTypes_200_response_inner-legacyGetAlertTypes_200_response_inner_actionVariables-legacyGetAlertTypes_200_response_inner_actionVariables_context_inner-legacyGetAlertTypes_200_response_inner_recoveryActionGroup-legacyGetAlertingHealth_200_response-legacyGetAlertingHealth_200_response_alertingFrameworkHealth-legacyGetAlertingHealth_200_response_alertingFrameworkHealth_decryptionHealth-legacyGetAlertingHealth_200_response_alertingFrameworkHealth_executionHealth-legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth-non_count_criterion- non count criterionnotify_when-params_es_query_rule-params_es_query_rule_oneOf-params_es_query_rule_oneOf_1-params_es_query_rule_oneOf_searchConfiguration-params_es_query_rule_oneOf_searchConfiguration_query-params_index_threshold_rule-params_property_apm_anomaly-params_property_apm_error_count-params_property_apm_transaction_duration-params_property_apm_transaction_error_rate-params_property_infra_inventory-params_property_infra_inventory_criteria_inner-params_property_infra_inventory_criteria_inner_customMetric-params_property_infra_metric_threshold-params_property_infra_metric_threshold_criteria_inner-params_property_log_threshold-params_property_slo_burn_rate-params_property_slo_burn_rate_longWindow-params_property_slo_burn_rate_shortWindow-params_property_synthetics_monitor_status-params_property_synthetics_monitor_status_availability-params_property_synthetics_monitor_status_filters-params_property_synthetics_monitor_status_filters_oneOf-params_property_synthetics_monitor_status_timerange-params_property_synthetics_uptime_tls-rule_response_properties- Rule response propertiesrule_response_properties_execution_status-rule_response_properties_last_run-rule_response_properties_last_run_alerts_count-schedule-thresholdcomparator-timewindowunit-update_rule_request- Update rule request
Count - Count Up
criteria (optional)
count
timeSize
timeUnit
Enum:
s
m
h
d
logView
groupBy (optional)
Count_count - Up
comparator (optional)
Enum:
more than
more than or equals
less than
less than or equals
equals
does not equal
matches
does not match
matches phrase
does not match phrase
value (optional)
Legacy_create_alert_request_properties - Legacy create alert request properties Up
actions (optional)
alertTypeId
String The ID of the alert type that you want to call when the alert is scheduled to run.
consumer
String The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges.
enabled (optional)
Boolean Indicates if you want to run the alert on an interval basis after it is created.
name
String A name to reference and search.
notifyWhen
String The condition for throttling the notification.
Enum:
onActionGroupChange
onActiveAlert
onThrottleInterval
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined. schedule
tags (optional)
array[String] A list of keywords to reference and search.
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or 1h will prevent it from sending 90 notifications during this period. Legacy_create_alert_request_properties_schedule - Up
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
Legacy_update_alert_request_properties - Legacy update alert request properties Up
actions (optional)
name
String A name to reference and search.
notifyWhen
String The condition for throttling the notification.
Enum:
onActionGroupChange
onActiveAlert
onThrottleInterval
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined. schedule
tags (optional)
array[String] A list of keywords to reference and search.
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or 1h will prevent it from sending 90 notifications during this period. Legacy_update_alert_request_properties_actions_inner - Up
actionTypeId
String The identifier for the action type.
group
String Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to
default. id
String The ID of the action saved object to execute.
params
Object The map to the
params that the action type will receive. params are handled as Mustache templates and passed a default set of context. Legacy_update_alert_request_properties_schedule - Up
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
Ratio - Ratio Up
criteria (optional)
count
timeSize
timeUnit
Enum:
s
m
h
d
logView
groupBy (optional)
actions_inner - Up
An action that runs under defined conditions.
alerts_filter (optional)
connector_type_id (optional)
String The type of connector. This property appears in responses but cannot be set in requests.
frequency (optional)
group
String The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default. id
String The identifier for the connector saved object.
params
map[String, oas_any_type_not_mapped] The parameters for the action, which are sent to the connector. The
params are handled as Mustache templates and passed a default set of context. uuid (optional)
String A universally unique identifier (UUID) for the action.
actions_inner_alerts_filter - Up
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
query (optional)
timeframe (optional)
actions_inner_alerts_filter_query - Up
Defines a query filter that determines whether the action runs.
actions_inner_alerts_filter_timeframe - Up
Defines a period that limits whether the action runs.
days (optional)
array[Integer] Defines the days of the week that the action can run, represented as an array of numbers. For example,
1 represents Monday. An empty array is equivalent to specifying all the days of the week. hours (optional)
timezone (optional)
String The ISO time zone for the
hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended. actions_inner_alerts_filter_timeframe_hours - Up
Defines the range of time in a day that the action can run. If the
start value is 00:00 and the end value is 24:00, actions be generated all day.actions_inner_frequency - Up
The properties that affect how often actions are generated. If the rule type supports setting
summary to true, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters when notify_when or throttle are defined at the rule level.notify_when
summary
Boolean Indicates whether the action is a summary.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. alert_response_properties - Legacy alert response properties Up
actions (optional)
alertTypeId (optional)
apiKeyOwner (optional)
createdAt (optional)
Date The date and time that the alert was created. format: date-time
createdBy (optional)
String The identifier for the user that created the alert.
enabled (optional)
Boolean Indicates whether the alert is currently enabled.
executionStatus (optional)
id (optional)
String The identifier for the alert.
muteAll (optional)
mutedInstanceIds (optional)
name (optional)
String The name of the alert.
notifyWhen (optional)
params (optional)
schedule (optional)
scheduledTaskId (optional)
tags (optional)
throttle (optional)
updatedAt (optional)
updatedBy (optional)
String The identifier for the user that updated this alert most recently.
alert_response_properties_schedule - Up
interval (optional)
count_criterion - count criterion Up
threshold (optional)
comparator (optional)
Enum:
<
<=
>
>=
between
outside
timeUnit (optional)
timeSize (optional)
warningThreshold (optional)
warningComparator (optional)
Enum:
<
<=
>
>=
between
outside
aggType (optional)
Enum:
count
create_anomaly_detection_alert_rule_request - Create anomaly detection rule request Up
A rule that checks if the anomaly detection job results contain anomalies that match the rule conditions.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an anomaly detection rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.ml.anomaly_detection_alert
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_anomaly_detection_jobs_health_rule_request - Create anomaly detection jobs health rule request Up
An rule that monitors job health and alerts if an operational issue occurred that may prevent the job from detecting anomalies.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an anomaly detection jobs health rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.ml.anomaly_detection_jobs_health
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_apm_anomaly_rule_request - Create APM anomaly rule rule request Up
A rule that detects when either the latency, throughput, or failed transaction rate of a service is anomalous.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
apm.anomaly
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_apm_error_count_rule_request - Create APM error count rule request Up
A rule that detects when the number of errors in a service exceeds a defined threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
apm.error_rate
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_apm_transaction_duration_rule_request - Create latency threshold rule request Up
A rule that detects when the latency of a specific transaction type in a service exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
apm.transaction_duration
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_apm_transaction_error_rate_rule_request - Create APM transaction error rate rule request Up
A rule that sends notifications when the rate of transaction errors in a service exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
apm.transaction_error_rate
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_es_query_rule_request - Create Elasticsearch query rule request Up
A rule that runs a user-configured query, compares the number of matches to a configured threshold, and schedules actions to run when the threshold condition is met.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
.es-query
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_geo_containment_rule_request - Create traacking containment rule request Up
A rule that runs an Elasticsearch query over indices to determine whether any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an tracking containment rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
.geo-containment
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_index_threshold_rule_request - Create index threshold rule request Up
A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
.index-threshold
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_infra_inventory_rule_request - Create infra inventory rule request Up
A rule that sends notifications when a metric has reached or exceeded a value for a specific resource or a group of resources within your infrastructure.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
metrics.alert.inventory.threshold
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_infra_metric_anomaly_rule_request - Create infrastructure anomaly rule request Up
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an infrastructure anomaly rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
metrics.alert.anomaly
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_infra_metric_threshold_rule_request - Create infra metric threshold rule request Up
A rule that sends notifications when a metric has reached or exceeded a value for a specific time period.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
metrics.alert.threshold
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_log_threshold_rule_request - Create log threshold rule request Up
A rule that detects when a log aggregation exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
logs.alert.document.count
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_ccr_exceptions_rule_request - Create CCR read exceptions rule request Up
A rule that detects cross-cluster replication (CCR) read exceptions.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a CCR read exceptions rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_ccr_read_exceptions
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_cluster_health_rule_request - Create cluster health rule request Up
A rule that detects when the health of the cluster changes.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a cluster health rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_cluster_health
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_cpu_usage_rule_request - Create CPU usage rule request Up
A rule that detects when the CPU load for a node is consistently high.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a CPU usage rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_cpu_usage
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_disk_usage_rule_request - Create disk usage rule request Up
A rule that detects when the disk usage for a node is consistently high.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a disk usage rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_disk_usage
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_elasticsearch_version_mismatch_rule_request - Create Elasticsearch version mismatch rule request Up
A rule that detects when the cluster has multipe versions of Elasticsearch.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a Elasticsearch version mismatch rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_elasticsearch_version_mismatch
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_jvm_memory_usage_rule_request - Create JVM memory usage rule request Up
A rule that detects when a node reports high memory usage.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a JVM memory usage rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_jvm_memory_usage
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_kibana_version_mismatch_rule_request - Create Kibana version mismatch rule request Up
A rule that detects when the cluster has multiple versions of Kibana.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a Kibana version mismatch rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_kibana_version_mismatch
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_license_expiration_rule_request - Create license expiration rule request Up
A rule that detects when the cluster license is about to expire.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a license expiration rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_license_expiration
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_logstash_version_mismatch_rule_request - Create Logstash version mismatch rule request Up
A rule that detects when the cluster has multiple versions of Logstash.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a Logstash version mismatch rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_logstash_version_mismatch
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_missing_data_rule_request - Create missing monitoring data rule request Up
A rule that detects when monitoring data is missing.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a missing monitoring data rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_missing_monitoring_data
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_nodes_changed_rule_request - Create nodes changed rule request Up
A rule that detects when nodes are added, removed, or restarted.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a nodes changed rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_nodes_changed
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_shard_size_rule_request - Create shard size rule request Up
A rule that detects when the average shard size is larger than a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a shard size rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_shard_size
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_thread_pool_search_rejections_rule_request - Create thread pool search rejections rule request Up
A rule that detects when the number of rejections in the thread pool exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a thread pool search rejections rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_thread_pool_search_rejections
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_monitoring_thread_pool_write_rejections_rule_request - Create thread pool write rejections rule request Up
A rule that detects when the number of rejections in the write thread pool exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a thread pool write rejections rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
monitoring_alert_thread_pool_write_rejections
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_rule_request - Create rule request body properties Up
The properties vary depending on the rule type.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.uptime.alerts.monitorStatus
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_eql_rule_request - Create event correlation rule request Up
A rule that uses Event Query Language (EQL) to match events, generate sequences, and stack data.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an event correlation rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.eqlRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_indicator_rule_request - Create indicator match rule request Up
A rule that uses indicators from intelligence sources to detect matching events and alerts.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for an indicator match rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.indicatorRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_ml_rule_request - Create machine learning rule request Up
A rule that detects when a machine learning job discovers an anomaly above the defined threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a machine learning rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.mlRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_new_terms_rule_request - Create new terms rule request Up
A rule that finds documents with values that appear for the first time.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a new terms rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.newTermsRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_notifications_rule_request - Create security solution notification (legacy) rule request Up
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a notification rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.notifications
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_query_rule_request - Create custom query rule request Up
A rule that uses KQL or Lucene to detect issues across indices.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a custom query rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.queryRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_saved_query_rule_request - Create saved query rule request Up
A rule that searches the defined indices and creates an alert when a document matches the saved search.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a saved query rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.savedQueryRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_siem_threshold_rule_request - Create threshold rule request Up
A rule that aggregates query results to detect when the number of matches exceeds a threshold.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a threshold rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
siem.thresholdRule
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_slo_burn_rate_rule_request - Create slo burn rate rule request Up
A rule that detects when the burn rate is above a defined threshold for two different lookback periods. The two periods are a long period and a short period that is 1/12th of the long period. For each lookback period, the burn rate is computed as the error rate divided by the error budget. When the burn rates for both periods surpass the threshold, an alert occurs.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
slo.rules.burnRate
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_synthetics_monitor_status_rule_request - Create synthetics monitor status rule request Up
A rule that detects when a monitor is down or an availability threshold is breached.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for the synthetics monitor status rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.synthetics.alerts.monitorStatus
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_synthetics_uptime_duration_anomaly_rule_request - Create synthetics uptime duration anomaly rule request Up
A rule that detects response durations for all of the geographic locations of each monitor. When a monitor runs for an unusual amount of time, at a particular time, an anomaly is recorded.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for the uptime duration anomaly rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.uptime.alerts.durationAnomaly
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_synthetics_uptime_tls_certificate_rule_request - Create TLS certificate rule request Up
A rule that detects when a monitor has a TLS certificate expiring or when it exceeds an age limit.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a TLS certificate rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.uptime.alerts.tlsCertificate
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_synthetics_uptime_tls_rule_request - Create synthetics uptime TLS rule request Up
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.uptime.alerts.tls
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_transform_health_rule_request - Create transform health rule request Up
A rule that monitors transforms health and alerts if an operational issue occurred.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for a transform health rule.
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
transform_health
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. create_uptime_monitor_status_rule_request - Create uptime monitor status rule request Up
A rule that detects monitor errors and outages.
actions (optional)
consumer
String The name of the application or feature that owns the rule. For example:
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when (optional)
params
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
Enum:
xpack.uptime.alerts.monitorStatus
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. custom_criterion - custom criterion Up
threshold (optional)
comparator (optional)
Enum:
<
<=
>
>=
between
outside
timeUnit (optional)
timeSize (optional)
warningThreshold (optional)
warningComparator (optional)
Enum:
<
<=
>
>=
between
outside
aggType (optional)
Enum:
custom
customMetric (optional)
equation (optional)
label (optional)
filter - Up
A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the
kbn-es-query package.findRules_200_response - Up
data (optional)
page (optional)
per_page (optional)
total (optional)
getAlertingHealth_200_response - Up
getAlertingHealth_200_response_alerting_framework_health - Up
Three substates identify the health of the alerting framework:
decryption_health, execution_health, and read_health.decryption_health (optional)
execution_health (optional)
read_health (optional)
getAlertingHealth_200_response_alerting_framework_health_decryption_health - Up
The timestamp and status of the rule decryption.
getAlertingHealth_200_response_alerting_framework_health_execution_health - Up
The timestamp and status of the rule run.
getAlertingHealth_200_response_alerting_framework_health_read_health - Up
The timestamp and status of the rule reading events.
getRuleTypes_200_response_inner - Up
action_groups (optional)
array[getRuleTypes_200_response_inner_action_groups_inner] An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.
action_variables (optional)
authorized_consumers (optional)
default_action_group_id (optional)
String The default identifier for the rule type group.
does_set_recovery_context (optional)
Boolean Indicates whether the rule passes context variables to its recovery action.
enabled_in_license (optional)
Boolean Indicates whether the rule type is enabled or disabled based on the subscription.
id (optional)
String The unique identifier for the rule type.
is_exportable (optional)
Boolean Indicates whether the rule type is exportable in Stack Management > Saved Objects.
minimum_license_required (optional)
String The subscriptions required to use the rule type.
name (optional)
String The descriptive name of the rule type.
producer (optional)
String An identifier for the application that produces this rule type.
recovery_action_group (optional)
rule_task_timeout (optional)
getRuleTypes_200_response_inner_action_variables - Up
A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
context (optional)
params (optional)
state (optional)
getRuleTypes_200_response_inner_authorized_consumers - Up
The list of the plugins IDs that have access to the rule type.
alerts (optional)
apm (optional)
discover (optional)
infrastructure (optional)
logs (optional)
ml (optional)
monitoring (optional)
siem (optional)
stackAlerts (optional)
uptime (optional)
getRuleTypes_200_response_inner_recovery_action_group - Up
An action group to use when an alert goes from an active state to an inactive one.
groupby - Up
Indicates whether the aggregation is applied over all documents (
all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.legacyFindAlerts_200_response - Up
data (optional)
page (optional)
perPage (optional)
total (optional)
legacyGetAlertTypes_200_response_inner - Up
actionGroups (optional)
array[getRuleTypes_200_response_inner_action_groups_inner] An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert actions validation uses this configuration to ensure that groups are valid.
actionVariables (optional)
authorizedConsumers (optional)
Object The list of the plugins IDs that have access to the alert type.
defaultActionGroupId (optional)
String The default identifier for the alert type group.
enabledInLicense (optional)
Boolean Indicates whether the rule type is enabled based on the subscription.
id (optional)
String The unique identifier for the alert type.
isExportable (optional)
Boolean Indicates whether the alert type is exportable in Saved Objects Management UI.
minimumLicenseRequired (optional)
String The subscriptions required to use the alert type.
name (optional)
String The descriptive name of the alert type.
producer (optional)
String An identifier for the application that produces this alert type.
recoveryActionGroup (optional)
legacyGetAlertTypes_200_response_inner_actionVariables - Up
A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors.
context (optional)
params (optional)
state (optional)
legacyGetAlertTypes_200_response_inner_recoveryActionGroup - Up
An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used.
legacyGetAlertingHealth_200_response - Up
legacyGetAlertingHealth_200_response_alertingFrameworkHealth - Up
Three substates identify the health of the alerting framework:
decryptionHealth, executionHealth, and readHealth.decryptionHealth (optional)
executionHealth (optional)
readHealth (optional)
legacyGetAlertingHealth_200_response_alertingFrameworkHealth_decryptionHealth - Up
The timestamp and status of the alert decryption.
legacyGetAlertingHealth_200_response_alertingFrameworkHealth_executionHealth - Up
The timestamp and status of the alert execution.
legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth - Up
The timestamp and status of the alert reading events.
non_count_criterion - non count criterion Up
threshold (optional)
comparator (optional)
Enum:
<
<=
>
>=
between
outside
timeUnit (optional)
timeSize (optional)
warningThreshold (optional)
warningComparator (optional)
Enum:
<
<=
>
>=
between
outside
metric (optional)
aggType (optional)
Enum:
avg
max
min
cardinality
rate
count
sum
p95
p99
custom
notify_when - Up
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.params_es_query_rule - Up
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is avg, max, min or sum. aggType (optional)
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. groupBy (optional)
searchConfiguration (optional)
searchType
String The type of query, in this case a query that uses Elasticsearch Query DSL.
Enum:
esQuery
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
termField (optional)
String This property is required when
groupBy is top. The name of the field that is used for grouping the aggregation. termSize (optional)
Integer This property is required when
groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values. thresholdComparator
timeField
String The field that is used to calculate the time window.
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. timeWindowUnit
esQuery
String The query definition, which uses Elasticsearch Query DSL.
index
oneOf
params_es_query_rule_oneOf - Up
The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is avg, max, min or sum. aggType (optional)
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. groupBy (optional)
searchConfiguration (optional)
searchType
String The type of query, in this case a text-based query that uses KQL or Lucene.
Enum:
searchSource
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
termField (optional)
String This property is required when
groupBy is top. The name of the field that is used for grouping the aggregation. termSize (optional)
Integer This property is required when
groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values. thresholdComparator
timeField (optional)
String The field that is used to calculate the time window.
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. timeWindowUnit
params_es_query_rule_oneOf_1 - Up
The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is avg, max, min or sum. aggType (optional)
esQuery
String The query definition, which uses Elasticsearch Query DSL.
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. groupBy (optional)
index
oneOf
searchType (optional)
String The type of query, in this case a query that uses Elasticsearch Query DSL.
Enum:
esQuery
size (optional)
Integer The number of documents to pass to the configured actions when the threshold condition is met.
termField (optional)
String This property is required when
groupBy is top. The name of the field that is used for grouping the aggregation. termSize (optional)
Integer This property is required when
groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values. thresholdComparator
timeField
String The field that is used to calculate the time window.
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. timeWindowUnit
params_es_query_rule_oneOf_searchConfiguration - Up
The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
params_index_threshold_rule - Up
The parameters for an index threshold rule.
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is avg, max, min or sum. aggType (optional)
filterKuery (optional)
String A KQL expression thats limits the scope of alerts.
groupBy (optional)
index
array[String] The indices to query.
termField (optional)
String This property is required when
groupBy is top. The name of the field that is used for grouping the aggregation. termSize (optional)
Integer This property is required when
groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values. thresholdComparator
timeField
String The field that is used to calculate the time window.
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. timeWindowUnit
params_property_apm_anomaly - Up
serviceName (optional)
String The service name from APM
transactionType (optional)
String The transaction type from APM
windowSize
BigDecimal The window size
windowUnit
String The window size unit
Enum:
m
h
d
environment
String The environment from APM
anomalySeverityType
String The anomaly threshold value
Enum:
critical
major
minor
warning
params_property_apm_error_count - Up
serviceName (optional)
String The service name from APM
windowSize
BigDecimal The window size
windowUnit
String The window size unit
Enum:
m
h
d
environment
String The environment from APM
threshold
BigDecimal The error count threshold value
groupBy (optional)
Enum:
errorGroupingKey (optional)
params_property_apm_transaction_duration - Up
serviceName (optional)
String The service name from APM
transactionType (optional)
String The transaction type from APM
transactionName (optional)
String The transaction name from APM
windowSize
BigDecimal The window size
windowUnit
String ç
Enum:
m
h
d
environment
threshold
BigDecimal The latency threshold value
groupBy (optional)
Enum:
aggregationType
Enum:
avg
95th
99th
params_property_apm_transaction_error_rate - Up
serviceName (optional)
String The service name from APM
transactionType (optional)
String The transaction type from APM
transactionName (optional)
String The transaction name from APM
windowSize
BigDecimal The window size
windowUnit
String The window size unit
Enum:
m
h
d
environment
String The environment from APM
threshold
BigDecimal The error rate threshold value
groupBy (optional)
Enum:
params_property_infra_inventory_criteria_inner - Up
metric (optional)
Enum:
count
cpu
diskLatency
load
memory
memoryTotal
tx
rx
logRate
diskIOReadBytes
diskIOWriteBytes
s3TotalRequests
s3NumberOfObjects
s3BucketSize
s3DownloadBytes
s3UploadBytes
rdsConnections
rdsQueriesExecuted
rdsActiveTransactions
rdsLatency
sqsMessagesVisible
sqsMessagesDelayed
sqsMessagesSent
sqsMessagesEmpty
sqsOldestMessage
custom
timeSize (optional)
timeUnit (optional)
Enum:
s
m
h
d
sourceId (optional)
threshold (optional)
comparator (optional)
Enum:
<
<=
>
>=
between
outside
customMetric (optional)
warningThreshold (optional)
warningComparator (optional)
Enum:
<
<=
>
>=
between
outside
params_property_infra_metric_threshold - Up
criteria (optional)
groupBy (optional)
filterQuery (optional)
sourceId (optional)
alertOnNoData (optional)
alertOnGroupDisappear (optional)
params_property_infra_metric_threshold_criteria_inner - Up
threshold (optional)
comparator (optional)
Enum:
<
<=
>
>=
between
outside
timeUnit (optional)
timeSize (optional)
warningThreshold (optional)
warningComparator (optional)
Enum:
<
<=
>
>=
between
outside
metric (optional)
aggType (optional)
Enum:
custom
customMetric (optional)
equation (optional)
label (optional)
params_property_log_threshold - Up
criteria (optional)
count
timeSize
timeUnit
Enum:
s
m
h
d
logView
groupBy (optional)
params_property_slo_burn_rate - Up
sloId (optional)
String The SLO identifier used by the rule
burnRateThreshold (optional)
BigDecimal The burn rate threshold used to trigger the alert
maxBurnRateThreshold (optional)
BigDecimal The maximum burn rate threshold value defined by the SLO error budget
longWindow (optional)
shortWindow (optional)
params_property_slo_burn_rate_longWindow - Up
The duration of the long window used to compute the burn rate
params_property_slo_burn_rate_shortWindow - Up
The duration of the short window used to compute the burn rate
params_property_synthetics_monitor_status - Up
availability (optional)
filters (optional)
locations (optional)
numTimes
search (optional)
shouldCheckStatus
shouldCheckAvailability
timerangeCount (optional)
timerangeUnit (optional)
timerange (optional)
version (optional)
isAutoGenerated (optional)
params_property_synthetics_monitor_status_filters - Up
monitorPeriodtype (optional)
observerPeriodgeoPeriodname (optional)
tags (optional)
urlPeriodport (optional)
params_property_synthetics_monitor_status_filters_oneOf - Up
monitorPeriodtype (optional)
observerPeriodgeoPeriodname (optional)
tags (optional)
urlPeriodport (optional)
params_property_synthetics_uptime_tls - Up
search (optional)
certExpirationThreshold (optional)
certAgeThreshold (optional)
rule_response_properties - Rule response properties Up
actions
api_key_created_by_user (optional)
Boolean Indicates whether the API key that is associated with the rule was created by the user.
api_key_owner
String The owner of the API key that is associated with the rule and used to run background tasks.
consumer
String The application or feature that owns the rule. For example,
alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime. created_at
Date The date and time that the rule was created. format: date-time
created_by
String The identifier for the user that created the rule.
enabled
Boolean Indicates whether the rule is currently enabled.
execution_status
id
String The identifier for the rule.
last_run (optional)
muted_alert_ids
mute_all
name
String The name of the rule.
next_run (optional)
Date format: date-time
notify_when (optional)
String Indicates how often alerts generate actions.
params
map[String, oas_any_type_not_mapped] The parameters for the rule.
revision (optional)
Integer The rule revision number.
rule_type_id
String The identifier for the type of rule. For example,
.es-query, .index-threshold, logs.alert.document.count, monitoring_alert_cluster_health, siem.thresholdRule, or xpack.ml.anomaly_detection_alert. running (optional)
Boolean Indicates whether the rule is running.
schedule
scheduled_task_id (optional)
tags
array[String] The tags for the rule.
throttle
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. updated_at
String The date and time that the rule was updated most recently.
updated_by
String The identifier for the user that updated this rule most recently.
rule_response_properties_last_run - Up
alerts_count (optional)
outcome (optional)
outcome_msg (optional)
outcome_order (optional)
warning (optional)
schedule - Up
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
interval (optional)
thresholdcomparator - Up
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
update_rule_request - Update rule request Up
The update rule API request body varies depending on the type of rule and actions.
actions (optional)
name
String The name of the rule.
notify_when (optional)
params
map[String, oas_any_type_not_mapped] The parameters for the rule.
schedule
tags (optional)
array[String] The tags for the rule.
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.