Kibana alerting v2 no-data handling
Proper no-data handling prevents false recoveries and false alerts when data sources stop reporting. By default, if a rule returns no results, the system cannot determine whether the condition is resolved or whether data has simply stopped arriving.
Consider a rule that monitors CPU usage per host. If host-a stops sending metrics:
- Without no-data handling, the rule sees no breaching rows for
host-aand treats it as recovery — a false recovery. - With no-data handling configured to
no_data, the system detects the absence and records a no-data event instead.
| Behavior | Effect | Use when |
|---|---|---|
no_data |
Records a no-data event. The alert does not recover or activate. | Missing data is a condition you want to track |
last_status |
Carries forward the previous status. No new event is written. | Data gaps are expected (batch ingestion) |
recover |
Treats absence as recovery. Alert transitions to recovering. | You are confident that no data means the issue is resolved |
Refer to No-data handling (rule settings) for configuration details and examples.
Choosing the right no-data behavior reduces two types of noise:
- False recoveries — prevented by using
no_dataorlast_statusinstead ofrecover. - False no-data alerts — prevented by using
last_statuswhen gaps are expected.
For the strongest noise reduction, use no_data behavior with a combined metric and no-data rule that handles both conditions in a single ES|QL query.