As an avid user of the ELK platform — especially when it comes to log analytics and DevOps or IT operations — I knew that one big missing part has been the ability to send notifications when something relevant happens.
I also got the same feedback from our customers, so we have decided to implement an alerting mechanism that sits on top of the ELK Stack, is fully integrated throughout all of the different components, and is production-ready. Alerts, after all, is a game changer. The use of ELK today is mainly for forensics and the creation of dashboards to visualize trends manually. Receiving alerts about changes completes the picture because it looks at the trends and then lets users know when a problem occurs or when the business is not performing as expected.
If you refer to our complete guide to the ELK Stack, you will realize that we spend a lot of effort making ELK usable and scalable — and that the addition of alerts completes the picture for us and for our customers. It was important to us that we have a seamless integration with a user interface as part of the Kibana UI to provide an end-to-end solution.
Here is how to use the new Alerts system:
Creating a New Alert
To create a new alert, run the search that you want in the Discovery tab and click on the bell icon that is to the right of the search bar:
A pop-up window will open with the following options:
Query – This is a read-only name that you can then verify that the query that will trigger the alert.
Name – The name of the alert – this name will be sent in the subject line of the email alert.
Description – A short description of the alert that will be sent in the body of the email and can be used to elaborate on the specific alert, what caused it, and what is the best way to remedy the situation.
Time Range – This will set the frequency that the check will occur. If you select “check every hour,” the query will be triggered every hour and will check to see if the condition applies to events within the past hour.
Trigger if the number of results is – This is the alert trigger and can be set to either “equal to,” “not equal to,” “greater than,” “greater than or equal to,” “less than,” or “less than or equal to.” For example, if you select “one hour” in the Check Every field; “greater than” in this field; and select “two” in the adjacent field, the alert will run the query every hour and will trigger if more than “two” documents that satisfy the query string are found in the last hour.
Severity – Select between Low, Medium, and High – this will be included in the email’s subject line.
Send email to – A comma-separated list of email addresses.
Suppress triggering for – This will quiet the email alert for the required time.
There is also a new Alert section in the top-level menu to the right of the icon for the device-configuration page:
Clicking on that icon will take you to the alert-management page, where a click on a given alert will allow you to edit it. Clicking on the trash can icon on the right side of the Alert Definition will delete the alert.
Viewing All Triggered Alerts
There are two ways to view triggered alerts.
The first is under the same section. If you click on “Triggered” on the left-hand side of the menu, you will see a list of all the events that have been triggered:
The second way is to search for the Alerts in the log by entering _exists_: alert in the search field on the Discovery tab.
How Do Our Customers Use Alerts?
Alerts are used in all sorts of ways, from notifying about inactivity, alerting on unauthorized access or when a certain threshold has been breached.
Coming up next is the ability to send webhooks from alerts as well as integrate Logz.io with services such as PagerDuty. We are also working on the ability to set alerts based on aggregations and statistical computation so you can, for example, set an alert if a specific host’s CPU usage has averaged 60% or more for more than ten minutes. We’ll let you know as soon as we add these new features!