Drill down from Kibana dashboards

Alerting is not supported in free Basic model for elasticsearch. This should not be a surprise as alerting can be tricky, especially more complex alerting rules. There are open-source free tools for alerting in elasticsearch, such as elastalert.

To send alert on event is one thing, but to point for user events which those alerts fired in friendly manner is something different. We are always focusing on user experience and user needs, thus when received requests regarding alerter module we’ve delivered it.

Alerter module now supports links to elasticsearch events. What does that mean? It simple!

Upon receiving alert you can also receive link which takes you to events which fired that alert. Configuration supports timeline settings, so you don’t only see one event, but also those before and after. How vast time scale is on timeline depends on simple 2 parameters in alert.

First we need to know what to search, what do we want to find or alert. With query ready, we can create table  of interesting fields.

After that we save search using our naming convention. We need link for that saved search, so take it from sharing button.

 When creating alerts we can add three parameters, as described in official elastalert documentation:

  1. Use_kibana4_dashboard
  2. Kibana4_start_timedelta
  3. Kibana4_end_timedelta

Use_kibana4_dashboard is place where we paste link for saved search.

Kibana4_start_timedelta is parameter where you define how far in past timeline will be set in drilldown.

Kibana4_end_timedelta is parameter where you define how close to root event timeline will be set in drilldown. Set 0 will make root event show up in timeline.

Now whenever that alert will be activated we can go from alerts dashboard down to events which cause it and start further issue analysis. Notice how query stays and timeline is set automatically to what was defined in alert configuration!

Comments are closed.

Post Navigation