Query alert indices
Serverless Stack
On Serverless alerts are stored in datastreams, on on-prem and Elastic Cloud Hosted (ECH) they are stored in the indices.
All the alert index names consist of 5 parts:
All of them start with .internal.alerts- prefix.
Then the context, dataset, space-Id and version number parts follow it.
An index name template:
.internal.alerts-{{context}}.{{dataset}}-{{space-id}}-{{version-number}}
context: Usually the product group that the rule type belongs to. Such as Stack, Observability and Security.
dataset: “alert” for the alert indices.
space-id: Only the security rules are space-specific. All the other rules write into default for all spaces.
version-number: This starts from 000001 and gets increased by 1 as the index is rolled over
An example alert index name of the Elasticsearch Query rule:
.internal.alerts-stack.alerts-default-000001
All the alert indices have an alias too.
They start with .alerts prefix, then context, dataset, space-Id follows it.
Alias template:
.alerts-{{context}}.{{dataset}}-{{space-id}}
An example alias for the Elasticsearch Query rule index:
.alerts-stack.alerts-default
Note: Only the security rules are space-specific, other rule types use the default space.
You can find the index names and aliases per rule type in the below table.
| Index name / Alias | Rules |
|---|---|
default Index name: .internal.alerts-default.alerts-default-000001 Alias: .alerts-default.alerts-default |
STACK MONITORING CCR read exceptions, Cluster health, CPU Usage, Disk Usage, Elasticsearch version mismatch, Kibana version mismatch, License expiration, Logstash version mismatch, Memory Usage (JVM), Missing monitoring data, Nodes changed, Shard size, Thread pool search rejections, Thread pool write rejections |
stack Index name: .internal.alerts-stack.alerts-default-000001 Alias: .alerts-stack.alerts-default |
STACK ALERTS Elasticsearch query, Index threshold, Degraded docs, Tracking containment, Transform health |
Observability.apm Index name: .internal.alerts-observability.apm.alerts-default-000001 Alias: .alerts-observability.apm.alerts-default |
APM AND USER EXPERIENCE APM Anomaly, Error count threshold, Failed transaction rate threshold, Latency threshold |
ml.anomaly-detection-health Index name: .internal.alerts-ml.anomaly-detection-health.alerts-default-000001Alias: .alerts-ml.anomaly-detection-health.alerts-default |
MACHINE LEARNING Anomaly detection jobs health |
ml.anomaly-detection Index name: .internal.alerts-ml.anomaly-detection.alerts-default-000001Alias: .alerts-ml.anomaly-detection.alerts-default |
MACHINE LEARNING Anomaly detection |
ml.observability.uptimeIndex name: .internal.alerts-stack.alerts-default-000001Alias: .alerts-stack.alerts-default |
SYNTHETICS AND UPTIME Synthetics monitor status, Synthetics TLS certificate |
ml.observability.metricsIndex name: .internal.alerts-ml.observability.metrics.alerts-default-000001 Alias: .alerts-ml.observability.metrics.alerts-default |
INFRASTRUCTURE Metric threshold, Inventory |
ml.observability.thresholdIndex name: .internal.alerts-ml.observability.threshold.alerts-default-000001Alias: .alerts-ml.observability.threshold.alerts-default |
OBSERVABILITY Custom Threshold |
ml.observability.sloIndex name: .internal.alerts-ml.observability.logs.alerts-default-000001Alias: .alerts-ml.observability.logs.alerts-default |
SLOs SLO burn rate |
ml.observability.logsIndex name: .internal.alerts-ml.observability.slo.alerts-default-000001Alias: .alerts-ml.observability.slo.alerts-default |
LOGS Log Threshold |
ml.dataset.qualityIndex name: .internal.alerts-ml.dataset.quality.alerts-default-000001Alias: .alerts-ml.dataset.quality.alerts-default |
Degraded docs |
ml.streamsIndex name: .internal.alerts-ml.streams.alerts-default-000001Alias: .alerts-ml.streams.alerts-default |
STREAMS ES|QL Rule |
security.attack.discoveryIndex name: .internal.alerts-security.attack.discovery.alerts-{{your-space-id}}-000001Alias: .alerts-security.attack.discovery.alerts-{{your-space-id}} |
SECURITY Attack Discovery Schedule |
securityIndex name: .internal.alerts-security.alerts-{{your-space-id}}-000001Alias: .alerts-security.alerts-{{your-space-id}} |
SECURITY All the other security rules |
You can simply search for an alert by using .internal.alerts-* index pattern or the index alias.
The below query returns top 100 alerts you have from all the alert indices you have.
GET /.internal.alerts-*/_search
{
"query": {
"match_all": {}
},
"size":100
}
An example for the Elasticsearch query rule:
With its index name:
GET /.internal.alerts-stack.alerts-default-000001/_mapping
Or with its alias:
GET /.alerts-stack.alerts-default/_mapping
Replace the kibana.alert.status value with recovered for the recovered alerts
GET /.internal.alerts-*/_search
{
"query": {
"bool": {
"filter": [{ "term": { "kibana.alert.status": "active" } }]
}
},
"size": 100
}
Replace the kibana.alert.rule.uuid value with your rule id
GET /.internal.alerts-*/_search
{
"size": 100,
"query": {
"bool": {
"filter": [
{ "term": { "kibana.alert.rule.uuid": "--your-rule-id--" } }
]
}
}
}
Replace the kibana.alert.status value with recovered for the recovered alerts
GET /.internal.alerts-*/_search
{
"query": {
"bool": {
"filter": [
{ "term": { "kibana.alert.status": "recovered"}},
{
"range": {
"@timestamp": {
"gte": "now-60m",
"lte": "now"
}
}
}
]
}
},
"size": 100
}
Replace the kibana.alert.rule.category value with your rule type name
GET /.internal.alerts-*/_search
{
"query": {
"bool": {
"filter": [
{ "term": { "kibana.alert.rule.category": "Elasticsearch query"}}
]
}
},
"size": 100
}