Investigate and respond to Kibana alerting v2 alerts

When an alert requires investigation, use the alert flyout and detail pages to understand the condition, review the timeline, examine related alerts, and take action.

Click any alert row in the inbox to open the alert flyout. The flyout provides a compact investigation view with multiple tabs.

At the top of the flyout, a visual timeline shows alert events and their corresponding statuses since the beginning of the episode. Click on the timeline chart to navigate to the alert events tab on the full alert details page.

The overview tab shows:

Alert summary

• Triggered timestamp
• Last updated timestamp
• Duration
• Alert status (active, pending, recovering, inactive)
• Alert severity
• Tags
• Assignee

Rule summary

• Rule name and description
• Rule condition (ES|QL query)
• Grouping key

Alert event evaluation chart

• A time series chart showing evaluation results since the beginning of the episode until resolution.

All alert metadata fields in a structured view, including the data payload from the ES|QL query.

Resources linked to the rule that generated the alert:

• Investigation guides (runbooks)
• Linked dashboards
• Saved searches

Related alerts from:

• Related rules (parent, child, sibling rules in rules-on-alerts chains).
• Past episodes from the same rule and series.

Click a related alert to open its flyout.

For deeper investigation, click View details in the flyout to open the full alert detail page. This page provides the same information as the flyout with additional space for timeline exploration and alert event history.

From the flyout or detail page, you can:

Refer to Alert episode details and Alert actions for more detail.