Bird
Raised Fist0
Elasticsearchquery~5 mins

Alerting and notifications in Elasticsearch

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Alerting helps you know when something important happens in your data. Notifications tell you right away so you can act fast.

You want to know if your website is down.
You want to get a message when sales drop suddenly.
You want to be alerted if errors increase in your logs.
You want to monitor server health and get notified on issues.
You want to automate messages when certain data conditions happen.
Syntax
Elasticsearch
PUT _watcher/watch/<watch_id>
{
  "trigger": {
    "schedule": { "interval": "10s" }
  },
  "input": {
    "search": {
      "request": {
        "indices": ["<index_name>"],
        "body": {
          "query": { "match": { "<field>": "<value>" } }
        }
      }
    }
  },
  "condition": {
    "compare": { "ctx.payload.hits.total.value": { "gt": 0 } }
  },
  "actions": {
    "notify_admin": {
      "email": {
        "to": "admin@example.com",
        "subject": "Alert: Condition met",
        "body": "Found matching documents in Elasticsearch."
      }
    }
  }
}

The trigger defines when the alert runs.

The input defines what data to check.

Examples
This alert checks for more than 5 errors in the 'logs' index every minute and sends an email.
Elasticsearch
PUT _watcher/watch/error_alert
{
  "trigger": { "schedule": { "interval": "1m" } },
  "input": {
    "search": {
      "request": {
        "indices": ["logs"],
        "body": {
          "query": { "match": { "level": "error" } }
        }
      }
    }
  },
  "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 5 } } },
  "actions": {
    "send_email": {
      "email": {
        "to": "devteam@example.com",
        "subject": "High error rate detected",
        "body": "More than 5 errors found in the last minute."
      }
    }
  }
}
This alert runs every 5 minutes and sends a Slack message if disk space is below 1GB.
Elasticsearch
PUT _watcher/watch/disk_space_alert
{
  "trigger": { "schedule": { "interval": "5m" } },
  "input": {
    "search": {
      "request": {
        "indices": ["metrics"],
        "body": {
          "query": { "range": { "disk_free": { "lt": 1024 } } }
        }
      }
    }
  },
  "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 0 } } },
  "actions": {
    "send_slack": {
      "webhook": {
        "method": "POST",
        "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
        "body": "{ \"text\": \"Disk space is low!\" }"
      }
    }
  }
}
Sample Program

This watcher runs every 10 seconds. It searches the 'my_index' for documents where 'status' is 'error'. If it finds any, it sends an email to the admin.

Elasticsearch
PUT _watcher/watch/sample_alert
{
  "trigger": {
    "schedule": { "interval": "10s" }
  },
  "input": {
    "search": {
      "request": {
        "indices": ["my_index"],
        "body": {
          "query": { "match": { "status": "error" } }
        }
      }
    }
  },
  "condition": {
    "compare": { "ctx.payload.hits.total.value": { "gt": 0 } }
  },
  "actions": {
    "notify": {
      "email": {
        "to": "admin@example.com",
        "subject": "Error found in my_index",
        "body": "There are error documents in my_index."
      }
    }
  }
}
OutputSuccess
Important Notes

Make sure your Elasticsearch cluster has Watcher enabled.

Actions can be emails, webhooks, Slack messages, or other integrations.

Test your alerts to confirm they work as expected.

Summary

Alerting helps you watch your data and get notified automatically.

Use triggers, inputs, conditions, and actions to build alerts.

Alerts can send emails or messages to keep you informed.

Practice

(1/5)
1. What is the main purpose of alerting in Elasticsearch?
easy
A. To automatically notify you when certain data conditions are met
B. To store large amounts of data efficiently
C. To visualize data in dashboards
D. To backup Elasticsearch indices

Solution

  1. Step 1: Understand alerting concept

    Alerting watches your data and triggers notifications when specific conditions happen.

  2. Step 2: Identify main purpose

    The main goal is to notify users automatically about important data changes or events.

  3. Final Answer:

    To automatically notify you when certain data conditions are met -> Option A

  4. Quick Check:

    Alerting = automatic notifications [OK]
Hint: Alerting means automatic notifications on data changes [OK]
Common Mistakes:
  • Confusing alerting with data storage
  • Thinking alerting is for data visualization
  • Mixing alerting with backup processes
2. Which of the following is the correct syntax to define a trigger in an Elasticsearch alerting watch?
easy
A. "trigger": { "schedule": { "interval": "10m" } }
B. "trigger": "interval": "10m"
C. "trigger": { "interval": "10m" }
D. "trigger": { "time": "10m" }

Solution

  1. Step 1: Recall trigger syntax in watch

    Triggers use a schedule object with an interval field inside curly braces.

  2. Step 2: Match correct JSON structure

    "trigger": { "schedule": { "interval": "10m" } } correctly nests schedule and interval inside trigger with proper braces and quotes.

  3. Final Answer:

    "trigger": { "schedule": { "interval": "10m" } } -> Option A

  4. Quick Check:

    Trigger uses schedule with interval [OK]
Hint: Trigger syntax always nests schedule and interval inside braces [OK]
Common Mistakes:
  • Missing braces around schedule
  • Using wrong keys like 'time' instead of 'schedule'
  • Incorrect JSON structure without nested objects
3. Given this watch input snippet, what type of input is being used? 
{
  "input": {
    "search": {
      "request": {
        "indices": ["logs"],
        "body": {
          "query": { "match_all": {} }
        }
      }
    }
  }
}
medium
A. Webhook input
B. HTTP input
C. Search input
D. Script input

Solution

  1. Step 1: Identify input type from JSON keys

    The input uses the key "search" with a request containing indices and a query.

  2. Step 2: Match input type to Elasticsearch alerting inputs

    This matches the Search input type, which runs a search query on indices.

  3. Final Answer:

    Search input -> Option C

  4. Quick Check:

    Input with "search" key = Search input [OK]
Hint: Look for 'search' key to identify Search input type [OK]
Common Mistakes:
  • Confusing search input with HTTP or webhook inputs
  • Ignoring the 'search' key and guessing script input
  • Not recognizing the query structure inside input
4. You wrote this action in your watch but it fails to send an email:
"actions": {
  "send_email": {
    "email": {
      "to": "user@example.com",
      "subject": "Alert!",
      "body": "Condition met"
    }
  }
}
What is the likely error?
medium
A. Incorrect 'to' email format
B. Body must be an object, not a string
C. Missing 'trigger' section in watch
D. Missing 'from' field in email action

Solution

  1. Step 1: Check required fields for email action

    Email action requires a 'from' field to specify sender address.

  2. Step 2: Identify missing 'from' field

    The given action lacks the 'from' field, causing failure to send email.

  3. Final Answer:

    Missing 'from' field in email action -> Option D

  4. Quick Check:

    Email action needs 'from' field [OK]
Hint: Email actions always need a 'from' address [OK]
Common Mistakes:
  • Assuming 'to' format is wrong when it is correct
  • Forgetting to add 'from' sender email
  • Thinking trigger absence causes email failure
5. You want to create an alert that sends a Slack message only if the number of errors in logs exceeds 100 in the last 5 minutes. Which condition correctly implements this in the watch?
hard
A. "condition": { "script": { "source": "return ctx.payload.hits.total.value > 100" } }
B. "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 100 } } }
C. "condition": { "script": { "source": "return ctx.payload.hits.total > 100" } }
D. "condition": { "compare": { "ctx.payload.hits.total": { "gte": 100 } } }

Solution

  1. Step 1: Understand payload structure for hits total

    In Elasticsearch 7+, total hits count is accessed as ctx.payload.hits.total.value.

  2. Step 2: Choose correct condition syntax

    The compare condition with 'gt' operator on ctx.payload.hits.total.value correctly checks if errors exceed 100.

  3. Final Answer:

    "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 100 } } } -> Option B

  4. Quick Check:

    Use compare with ctx.payload.hits.total.value > 100 [OK]
Hint: Use compare on ctx.payload.hits.total.value for counts [OK]
Common Mistakes:
  • Using ctx.payload.hits.total instead of .value
  • Using script with wrong field name
  • Using 'gte' instead of 'gt' when strictly greater needed