Set up Kibana alerting v2
Kibana alerting v2 is available in Elastic Stack 9.4 and later. This page explains how to enable it and configure initial settings.
Kibana alerting v2 is enabled by default in 9.4. When enabled, a Rules V2 tab appears in the rules management area under Management > Alerts and Insights > Rules V2.
Kibana alerting v2 depends on the following Kibana plugins, which are enabled by default:
- Task Manager — schedules and executes rule evaluations.
- Encrypted Saved Objects — stores API keys securely for rule and notification policy execution.
- ES|QL — provides query execution for rule evaluation.
- Spaces — enforces space-level isolation for rules and policies.
Kibana alerting v2 automatically creates and manages the following data streams:
.alerts-events-*— stores signal and alert event documents produced by rule evaluations. This is an append-only data stream..alerts-actions— stores alert action records (acknowledge, snooze, deactivate, fire, suppress) used by the dispatcher for suppression tracking and audit.
No manual index configuration is required. The system creates these data streams with the appropriate mappings when the first rule executes.
To verify that Kibana alerting v2 is working:
- Navigate to Management > Alerts and Insights > Rules V2.
- Confirm that the rules list page loads.
- Click Create rule to confirm the rule form opens.
- Optionally, create a test rule with a simple ES|QL query and verify that alert events appear in Discover by querying the
.alerts-events-*index.