Loading

View and manage Kibana alerting v2 rules

The rule details page provides a comprehensive view of a single rule's configuration, execution history, and generated alerts.

The rule details page shows:

  • Rule name, description, and mode (detect or alert).
  • Status (enabled or disabled).
  • Tags for filtering and organization.
  • Rule version, created by, and last updated by.
  • Base query — the ES|QL query.
  • Alert condition — the WHERE clause that filters breaching rows.
  • Grouping key — fields the rule groups by.
  • Lookback window and schedule.
  • Recovery condition (alert mode).
  • No-data configuration (alert mode).
  • Severity conditions (alert mode).
  • Last execution response — succeeded, failed, or warning.
  • Last execution time — how long the most recent evaluation took.
  • Execution response breakdown — pie chart showing the percentage of successful, failed, and warning executions.

From the rule details page, you can:

  • Edit — open the rule form.
  • Enable/Disable — toggle execution.
  • Clone — create a copy.
  • Run — execute once immediately.
  • Update API key — refresh the execution API key.
  • Delete — remove the rule.
  • Explore alert events in Discover — opens Discover in a new tab with the base query pre-populated and a 15-minute time range.

View resources linked to the rule:

  • Notification policies — policies that route this rule's alerts.
  • Workflows — workflows triggered by the rule.
  • Linked dashboards — investigation dashboards.
  • Runbooks — investigation guides.

For rules on alerts, the Related tab shows:

  • Parent rules — rules whose alert events feed this rule.
  • Child rules — rules that consume this rule's alert events.
  • Sibling rules — rules that share a parent.

Click a related rule to navigate to its details page.

The Execution history tab shows a chronological log of rule evaluations:

Field Description
Timestamp When the execution occurred
Type Rule execution, recovery, no-data, notification, or workflow
Duration How long the execution took
Response Succeeded, failed, or warning
Message Details about the execution result

Filter execution history by time range, type, and response. Search by message content. Pre-filtered by failed and warning executions by default.

The Alerts tab shows:

  • Alert KPIs — total alerts, active count, resolved count.
  • Alert list — alerts generated by this rule with status, severity, grouping key, and duration.

Click an alert to open the alert flyout.