Create Kibana alerting v2 rules in Discover
Create Kibana alerting v2 rules directly from Discover. When you build an ES|QL query in Discover that surfaces interesting patterns, you can convert it into a rule without rewriting the query.
Open Discover and switch to ES|QL mode.
Write and run an ES|QL query that returns the data you want to monitor. For example:
FROM logs-* | WHERE http.response.status_code >= 500 | STATS error_count = COUNT(*) BY api.endpoint | WHERE error_count > 100Review the results to confirm the query captures the pattern you want to alert on.
Click Create rule (or Alerts > Create rule) from the Discover toolbar.
The rule creation form opens with the ES|QL query pre-populated in the evaluation field.
Configure the remaining rule settings:
- Name and description.
- Mode (detect or alert).
- Schedule (execution interval and lookback window).
- Grouping fields if applicable.
- Alert delay, recovery, and no-data settings for alert mode.
- Notification policies to link.
Optionally preview the rule results.
Click Save.
When you create a rule from Discover:
- The full ES|QL query from your current Discover session is placed into the rule's base query field.
- The index pattern is inferred from the
FROMcommand in your query. - The time range is converted into the rule's lookback window.
You can modify any of these values in the rule form before saving.
Use Discover when you want to:
- Explore data interactively before deciding on alert conditions.
- Build and test complex ES|QL queries with immediate feedback.
- Convert ad hoc analysis into persistent monitoring.
Use the rule form directly when you:
- Already know the query and settings you want.
- Want to start from a template or existing rule.
- Need to configure advanced settings like state transitions that are not surfaced in Discover.