You're viewing version 2.17 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
Alerting
To create an alert, do the following:
- Configure a monitor, which is a job that runs on a defined schedule and queries OpenSearch indexes. Required.
- Configure one or more triggers, which define the conditions that generate events. Optional.
- Configure actions, which is what happens after an alert is triggered. Optional.
Key terms
The following table lists alerting terminology commonly used in OpenSearch and throughout the Alerting documentation.
Term | Definition |
---|---|
Monitor | Job that runs on a defined schedule and queries OpenSearch indexes. The results of these queries are then used as input for one or more triggers. |
Trigger | Conditions that, if met, generate alerts. See Triggers. |
Alert | Event associated with a trigger. When an alert is created, the trigger performs actions, including sending notifications. |
Action | Specific task that is performed when an alert is triggered. See Actions. |
Notification | Message that is sent to users when an alert is triggered. See Notifications. |
Alert states
The following table lists the alert states.
State | Description |
---|---|
Active | The alert is ongoing and unacknowledged. Alerts remain in this state until you acknowledge them, delete the trigger associated with the alert, or delete the monitor entirely. Alerts also can be moved out of the active state if the trigger condition is no longer met. For example, if an index has 4,000 documents and a trigger condition is numOfDocs > 5000 , an active alert is generated when 3,000 documents are added to the index. If the added 3,000 documents are then deleted from the index, the alert changes to the completed state because the condition is no longer triggered. |
Acknowledged | The alert is acknowledged but the root cause is not fixed. |
Completed | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to false . |
Error | An error occurred while executing the trigger—usually the result of a bad trigger or destination. |
Deleted | The monitor or trigger associated with this alert was deleted while the alert was ongoing. |
Creating an alert monitor
You can follow these basic steps to create an alert monitor:
- In the OpenSearch Plugins main menu, choose Alerting.
- Choose Create monitor. See Monitors for more information about the monitor types.
- Enter the Monitor details, including monitor type, method, and schedule.
- Select a data source from the dropdown list.
- Define the metrics in the Query section.
- Add a trigger. See Triggers for more information about triggers.
- Add an action. See Actions for more information about actions.
- Select Create.
Learn more about creating specific monitor types in their respective documentation.