Alerting
Elastic alerting lets you monitor your data and take action when something needs attention — whether that's a metric crossing a threshold, an asset leaving a geographic boundary, or an anomaly in your time series data. You define the conditions, choose how you want to be notified, and Elastic handles the rest.
Elastic provides three alerting systems: Kibana alerting v1, Kibana alerting v2, and Watcher.
Kibana alerting v1 provides a set of built-in rule types integrated with applications like APM, Metrics, Security, and Uptime. Rules evaluate conditions on a defined schedule and trigger actions through connectors — email, Slack, webhooks, PagerDuty, and more. Prepackaged rule types simplify setup for common use cases.
Refer to Kibana alerting v1 to get started.
Kibana alerting v2 is a redesigned alerting framework built on ES|QL. You write the query that defines what to detect and what data each alert carries. V2 introduces notification policies for centralized notification control, per-series snooze, alert lifecycle tracking with episodes, and the ability to write rules on alerts for correlation and escalation.
Kibana alerting v2 runs alongside Kibana alerting v1. There is no forced migration.
Refer to Kibana alerting v2 to get started.
Watcher provides alerting for custom use cases and complex alerting logic. It supports advanced scripting with Painless to define complex conditions and transformations.
For most use cases, Kibana alerting v1 or Kibana alerting v2 is recommended over Watcher. They offer richer integrations, prepackaged rule types, and a consistent management interface. Watcher is not available in Elastic Cloud Serverless.
Refer to Watcher to get started.