0
0
Elasticsearchquery~10 mins

Alerting and notifications in Elasticsearch - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Alerting and notifications
Define Watch
Set Trigger Condition
Monitor Data
Condition Met?
NoWait
Yes
Execute Actions
Send Notifications
End or Repeat
This flow shows how an alert is set up, monitors data, checks conditions, and sends notifications when triggered.
Execution Sample
Elasticsearch
PUT _watcher/watch/error_watch
{
  "trigger": { "schedule": { "interval": "10s" } },
  "input": { "search": { "request": { "indices": ["logs"], "body": { "query": { "match": { "level": "error" } } } } } },
  "condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 0 } } },
  "actions": { "email_admin": { "email": { "to": "admin@example.com", "subject": "Error Logs Alert", "body": "There are error logs in the last 10 seconds." } } }
}
This watch checks every 10 seconds for error logs and sends an email if any are found.
Execution Table
StepActionEvaluationResult
1Trigger fires every 10 secondsTime reachedProceed to input search
2Search logs index for 'level: error'Query executedHits found: 3
3Check condition 'hits.total.value > 0'3 > 0True
4Execute action: send emailEmail sent to admin@example.comNotification sent
5Wait for next triggerNext 10 secondsCycle repeats
6Trigger fires againTime reachedProceed to input search
7Search logs index for 'level: error'Query executedHits found: 0
8Check condition 'hits.total.value > 0'0 > 0False
9No action executedNo notificationWait for next trigger
💡 Execution cycles continuously every 10 seconds, sending notifications only when condition is true.
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 4After Step 7After Step 8
hits.total.value033300
condition_metfalseN/AtruetrueN/Afalse
notification_sentfalsefalsefalsetruefalsefalse
Key Moments - 3 Insights
Why does the watch send an email only sometimes?
Because the condition 'hits.total.value > 0' is only true when error logs exist (see execution_table rows 3 and 8). When no errors are found, the condition is false and no email is sent.
What triggers the watch to run its check?
The watch runs every 10 seconds as defined by the trigger schedule (execution_table rows 1 and 6). This periodic trigger initiates the search and condition evaluation.
What happens if the search finds zero error logs?
The condition evaluates to false (execution_table row 8), so no actions like sending emails are executed (row 9). The watch waits for the next trigger cycle.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the value of 'hits.total.value' after step 2?
A3
B0
Cundefined
D10
💡 Hint
Check the 'hits.total.value' variable in variable_tracker after Step 2.
At which step does the condition evaluate to false?
AStep 3
BStep 8
CStep 4
DStep 2
💡 Hint
Look at the 'Condition' column in execution_table rows where condition is checked.
If the trigger interval changed to 30 seconds, how would the execution table change?
ASteps would occur every 30 seconds instead of 10
BCondition would never be true
CEmails would be sent more frequently
DSearch would look in a different index
💡 Hint
Refer to the trigger action timing in execution_table steps 1 and 6.
Concept Snapshot
Alerting in Elasticsearch uses watches.
A watch has a trigger (time-based), input (data query), condition (checks data), and actions (notifications).
When the condition is true, actions like emails are sent.
Watches run repeatedly as scheduled.
This helps monitor data and alert on important events.
Full Transcript
This visual execution shows how Elasticsearch alerting works using watches. First, a watch is defined with a trigger that runs every 10 seconds. When triggered, it searches the logs index for error-level logs. The condition checks if any error logs exist. If yes, an email notification is sent to the admin. The watch then waits for the next trigger cycle. If no errors are found, no notification is sent. Variables like hits.total.value track the number of errors found. The condition_met variable shows if the alert condition is true. The notification_sent variable tracks if an email was sent. This cycle repeats continuously, enabling real-time alerting based on data changes.