Set up the experimental alerting features

Set up is part of the experimental alerting features in Kibana. Before you can create your first rule, the experimental alerting features need to be enabled in your space and a few background systems need to be in place. Rules rely on two data streams to store their output, API keys to run with the right privileges, and space scoping to keep objects organized. Getting these right upfront means your rules will run cleanly and their output will be queryable from the start.

If you want to jump straight to creating a rule, go to Quick start. For privilege requirements, refer to Experimental alerting features privileges.

The experimental alerting features are available in technical preview in Elastic Stack 9.5 and in Serverless.

The experimental alerting features automatically create and manage two data streams when the first rule runs. You don't need to create them manually.

Both data streams are hidden system data streams. To query them in Discover, prefix the name with $:

FROM $`.rule-events`
| WHERE rule.id == "<your-rule-id>"
| SORT @timestamp DESC
| LIMIT 10
		

After your first rule runs, use the query above in Discover to confirm documents are appearing. If nothing appears after a few seconds, check that the rule is enabled and that your ES|QL query returns results when run independently.

Rules and action policies are space-scoped. Objects you create in one space are not visible in another. Alert events are stored globally, but the UI filters what you see by space.

Saving a rule or action policy automatically creates an API key that is used to run it. The key inherits the privileges of the user who saved the object. If those privileges change over time, update the key from the rule or policy management UI.

When you're ready to go further, these can be done in any order: