Create Kibana alerting v2 rules in the UI
Create Kibana alerting v2 rules using the interactive rule creation form. The form provides a guided experience for configuring all rule settings, with the option to toggle between interactive and YAML modes.
- Navigate to Management > Alerts and Insights > Rules V2.
- Click Create rule.
Choose between Detect (signals only) and Alert (lifecycle tracking and notifications).
Write the ES|QL query that defines what to detect. The query has two parts:
- Base query (required) — the main ES|QL query that selects, aggregates, and transforms data.
- Alert condition (optional) — a
WHEREclause that filters to breaching rows.
Use the YAML mode toggle to switch between the interactive form and a YAML editor for the full rule definition.
Define one or more group key fields to split alert event generation. Each unique combination of field values produces its own alert series.
Configure the execution interval and the lookback window that determines how far back the ES|QL query evaluates.
When the rule is in alert mode, additional settings are available:
- Alert delay (activation threshold) — require the condition to be met a specified number of consecutive times or for a minimum duration before an alert becomes active.
- Recovery conditions — define how recovery is detected.
- No-data handling — configure behavior when the query returns no results.
- Notification policies — link one or more notification policies to route alerts to workflow destinations.
- Tags — add free-form tags for filtering and organization.
- Investigation guide — attach a runbook or investigation guide to the rule.
Before saving, click Preview to evaluate the query against recent data. The preview shows:
- How many rows the query returns.
- How many alert events would be generated.
- Sample alert event documents.
Click Save to create the rule. The rule starts executing on its configured schedule.