Set up Kibana alerting v2
Before you can create your first rule, Kibana alerting v2 needs to be enabled in your space and a few background systems need to be in place. Rules rely on two data streams to store their output, API keys to run with the right privileges, and space scoping to keep objects organized. Getting these right upfront means your rules will run cleanly and their output will be queryable from the start.
If you want to jump straight to creating a rule, go to Quick start. For privilege requirements, refer to Kibana alerting v2 privileges.
Kibana alerting v2 is available in Serverless only.
Kibana alerting v2 automatically creates and manages two data streams when the first rule runs. You don't need to create them manually.
| Data stream | What it stores |
|---|---|
.rule-events |
A record for every rule evaluation. One document per result row, per run. Never updated in place. |
.alert-actions |
Records for acknowledge, snooze, deactivate, fire, suppress, and other audit and suppression tracking. |
Both data streams are hidden system data streams. To query them in Discover, prefix the name with $:
FROM $`.rule-events`
| WHERE rule.id == "<your-rule-id>"
| SORT @timestamp DESC
| LIMIT 10
After your first rule runs, use the query above in Discover to confirm documents are appearing. If nothing appears after a few seconds, check that the rule is enabled and that your ES|QL query returns results when run independently.
Rules and action policies are space-scoped. Objects you create in one space are not visible in another. Alert events are stored globally, but the UI filters what you see by space.
Saving a rule or action policy automatically creates an API key that is used to run it. The key inherits the privileges of the user who saved the object. If those privileges change over time, update the key from the rule or policy management UI.
When you're ready to go further, these can be done in any order:
- Author rules: Write the ES|QL query that defines what to detect, choose Detect or Alert mode, and configure grouping and thresholds in Configure a rule.
- Set up workflows: Configure the automation objects that deliver messages — email, Slack, webhook, and so on. You need at least one workflow before action policies can send anything.
- Create action policies: Define who gets notified, how often, and under what conditions. Policies use KQL matchers to pick up the right episodes and route them to your workflows.