Reduce Kibana alerting v2 noise and false positives
Kibana alerting v2 provides multiple mechanisms to reduce alert noise and prevent false positives. Each mechanism operates at a different stage of the alerting pipeline, from rule evaluation to notification delivery. Use them in combination for layered noise reduction.
| Mechanism | Stage | Scope | What it does |
|---|---|---|---|
| Activation thresholds | Rule evaluation | Per series | Require consecutive breaches or duration before activating |
| Recovery thresholds | Rule evaluation | Per series | Require consecutive recoveries or duration before deactivating |
| No-data handling | Rule evaluation | Per series | Prevent false recoveries when data stops |
| Grouping | Notification policy | Per notification | Batch related alerts into fewer notifications |
| Throttle | Notification policy | Per group | Limit notification frequency |
| Matcher | Notification policy | Per policy | Route only matching alerts to destinations |
| Snooze or silence | Alert action | Per series or attribute | Temporarily suppress notifications |
| Maintenance windows | Notification policy | Scheduled | Pause notifications during planned work |
| Rules on alerts | Rule evaluation | Cross-rule | Replace many alerts with one meaningful one |
| Deactivate alerts | Alert action | Per episode | Stop processing for resolved-but-not-recovered episodes |
- Preventing alerts from activating too quickly
- Use activation thresholds to filter transient spikes.
- Preventing alerts from toggling between active and recovered
- Use recovery thresholds to require sustained recovery.
- Reducing the number of notifications without reducing detection
- Use grouping to batch alerts, throttle to limit frequency, or matchers to route only the most important alerts.
- Suppressing notifications during known events
- Use maintenance windows for scheduled deployments, or snooze for ad hoc suppression.
- Replacing many low-level alerts with fewer high-level ones
- Use rules on alerts to create correlation and escalation patterns.
- Stopping notifications for alerts you've already seen
- Use acknowledge to suppress per episode, or deactivate to fully stop processing.
A recommended approach for new deployments:
- Start with detect mode — run rules in detect mode to produce signals without noise. Review signal volume in Discover.
- Enable alert mode selectively — switch rules to alert mode one at a time. Tune activation thresholds to filter transient conditions.
- Add notification policies — create policies with matchers and throttling to control which alerts generate notifications and how often.
- Create rules on alerts — for services with many rules, create higher-order rules that correlate across alerts and notify only on significant patterns.