0
0
Elasticsearchquery~5 mins

Alerting and notifications in Elasticsearch

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction

Alerting helps you know when something important happens in your data. Notifications tell you right away so you can act fast.

You want to know if your website is down.
You want to get a message when sales drop suddenly.
You want to be alerted if errors increase in your logs.
You want to monitor server health and get notified on issues.
You want to automate messages when certain data conditions happen.
Syntax
Elasticsearch
PUT _watcher/watch/<watch_id>
{
  "trigger": {
    "schedule": { "interval": "10s" }
  },
  "input": {
    "search": {
      "request": {
        "indices": ["<index_name>"],
        "body": {
          "query": { "match": { "<field>": "<value>" } }
        }
      }
    }
  },
  "condition": {
    "compare": { "ctx.payload.hits.total.value": { "gt": 0 } }
  },
  "actions": {
    "notify_admin": {
      "email": {
        "to": "admin@example.com",
        "subject": "Alert: Condition met",
        "body": "Found matching documents in Elasticsearch."
      }
    }
  }
}

The trigger defines when the alert runs.

The input defines what data to check.

Examples
This alert checks for more than 5 errors in the 'logs' index every minute and sends an email.
Elasticsearch
PUT _watcher/watch/error_alert
{
  "trigger": { "schedule": { "interval": "1m" } },
  "input": {
    "search": {
      "request": {
        "indices": ["logs"],
        "body": {
          "query": { "match": { "level": "error" } }
        }
      }
    }
  },
  "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 5 } } },
  "actions": {
    "send_email": {
      "email": {
        "to": "devteam@example.com",
        "subject": "High error rate detected",
        "body": "More than 5 errors found in the last minute."
      }
    }
  }
}
This alert runs every 5 minutes and sends a Slack message if disk space is below 1GB.
Elasticsearch
PUT _watcher/watch/disk_space_alert
{
  "trigger": { "schedule": { "interval": "5m" } },
  "input": {
    "search": {
      "request": {
        "indices": ["metrics"],
        "body": {
          "query": { "range": { "disk_free": { "lt": 1024 } } }
        }
      }
    }
  },
  "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 0 } } },
  "actions": {
    "send_slack": {
      "webhook": {
        "method": "POST",
        "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
        "body": "{ \"text\": \"Disk space is low!\" }"
      }
    }
  }
}
Sample Program

This watcher runs every 10 seconds. It searches the 'my_index' for documents where 'status' is 'error'. If it finds any, it sends an email to the admin.

Elasticsearch
PUT _watcher/watch/sample_alert
{
  "trigger": {
    "schedule": { "interval": "10s" }
  },
  "input": {
    "search": {
      "request": {
        "indices": ["my_index"],
        "body": {
          "query": { "match": { "status": "error" } }
        }
      }
    }
  },
  "condition": {
    "compare": { "ctx.payload.hits.total.value": { "gt": 0 } }
  },
  "actions": {
    "notify": {
      "email": {
        "to": "admin@example.com",
        "subject": "Error found in my_index",
        "body": "There are error documents in my_index."
      }
    }
  }
}
OutputSuccess
Important Notes

Make sure your Elasticsearch cluster has Watcher enabled.

Actions can be emails, webhooks, Slack messages, or other integrations.

Test your alerts to confirm they work as expected.

Summary

Alerting helps you watch your data and get notified automatically.

Use triggers, inputs, conditions, and actions to build alerts.

Alerts can send emails or messages to keep you informed.