Loading

Alerting rule templates

Serverless Stack 9.2.1

Alerting rule templates are out-of-the-box alert definitions that come bundled with Elastic integrations, enabling users to quickly set up monitoring without writing queries from scratch.

Templates help you start monitoring in minutes by providing curated ES|QL queries and recommended thresholds tailored to each integration.

After the integration is installed, these templates are automatically available in Kibana's alerting interface with a prefilled rule creation form that you can adapt to your needs.

Although these templates are managed by Elastic, any alert created from them is owned by the customer and will not be modified by Elastic, even if the templates change.

Important

Although the alerts can be used as provided, threshold values should always be evaluated in the context of your specific environment. Depending on how you adjust the thresholds, you may either generate too many alerts or fail to trigger alerts when expected.

  • Install or upgrade to the latest version of the integration that includes alerting rule templates.
  • Ensure the data collection is enabled for the metrics or events that you plan to use.
  • Elastic Stack 9.2.1 or later.
  • Appropriate Kibana role privileges to create and manage rules.

Alerting rule templates come with recommended, pre-populated values. To use them:

  1. In Kibana, go to Management > Integrations.

  2. Find and open the integration.

  3. On the integration page, open the Assets tab and expand Alerting rule templates to view all available templates for that integration.

    Note

    You can find the Alerting rule template option only when the integration adds template support for alerting rules.

  4. Select a template to open a prefilled Create rule form.

    You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions.

  5. Review and (optionally) customize the prefilled settings, then save and enable the rule.

    The rule created from the template gets listed in the ObservabilityAlertsManage Rules page.

To update the rule you have created from the template, go to ObservabilityAlertsManage Rules, select the rule and click Actions.

The preconfigured defaults include:

  • ES|QL query
    A curated, text-based query that evaluates your data and triggers when matches are found during the latest run.
  • Recommended threshold
    A suggested threshold embedded in the ES|QL WHERE clause. You can tune the threshold to fit your environment.
  • Time window (look-back)
    The length of time the rule analyzes for data (for example, the last 5 minutes).
  • Rule schedule
    How frequently the rule checks alert conditions (for example, every minute).
  • Alert delay (alert suppression)
    The number of consecutive runs for which conditions must be met before an alert is created.

For details about fields in the Create rule form and how the rule evaluates data, refer to the Elasticsearch query rule type.