kibana-alerting-rules
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKibana Alerting Rules
Kibana告警规则
Core Concepts
核心概念
A rule has three parts: conditions (what to detect), schedule (how often to check), and actions (what
happens when conditions are met). When conditions are met, the rule creates alerts, which trigger actions via
connectors.
一条告警规则包含三个核心部分:conditions(检测逻辑)、schedule(执行频率)和actions(触发动作)。当检测条件满足时,规则会生成alerts(告警事件),并通过**connectors(连接器)**触发预设的动作。
Authentication
认证方式
All alerting API calls require either API key auth or Basic auth. Every mutating request must include the
header.
kbn-xsrfhttp
kbn-xsrf: true所有告警API调用均需要API Key认证或Basic认证。所有写操作请求必须包含请求头。
kbn-xsrfhttp
kbn-xsrf: trueRequired Privileges
所需权限
- privileges for the appropriate Kibana feature (e.g., Stack Rules, Observability, Security)
all - privileges for Actions and Connectors (to attach actions to rules)
read
- 对应Kibana功能的权限(例如Stack Rules、Observability、Security)
all - Actions and Connectors的权限(用于为规则关联动作)
read
API Reference
API参考
Base path: (or for non-default spaces).
<kibana_url>/api/alerting/s/<space_id>/api/alerting| Operation | Method | Endpoint |
|---|---|---|
| Create rule | POST | |
| Update rule | PUT | |
| Get rule | GET | |
| Delete rule | DELETE | |
| Find rules | GET | |
| List rule types | GET | |
| Enable rule | POST | |
| Disable rule | POST | |
| Mute all alerts | POST | |
| Unmute all alerts | POST | |
| Mute alert | POST | |
| Unmute alert | POST | |
| Update API key | POST | |
| Create snooze | POST | |
| Delete snooze | DELETE | |
| Health check | GET | |
基础路径:(非默认空间使用)。
<kibana_url>/api/alerting/s/<space_id>/api/alerting| 操作 | 请求方法 | 接口地址 |
|---|---|---|
| 创建规则 | POST | |
| 更新规则 | PUT | |
| 获取规则详情 | GET | |
| 删除规则 | DELETE | |
| 查询规则列表 | GET | |
| 列出规则类型 | GET | |
| 启用规则 | POST | |
| 禁用规则 | POST | |
| 静音所有告警事件 | POST | |
| 取消静音所有告警事件 | POST | |
| 静音指定告警事件 | POST | |
| 取消静音指定告警事件 | POST | |
| 更新API Key | POST | |
| 创建暂停计划 | POST | |
| 删除暂停计划 | DELETE | |
| 健康检查 | GET | |
Creating a Rule
创建规则
Required Fields
必填字段
| Field | Type | Description |
|---|---|---|
| string | Display name (does not need to be unique) |
| string | The rule type (e.g., |
| string | Owning app: |
| object | Rule-type-specific parameters |
| object | Check interval, e.g., |
| 字段名 | 类型 | 描述 |
|---|---|---|
| string | 规则显示名称(无需唯一) |
| string | 规则类型(例如 |
| string | 所属应用: |
| object | 规则类型专属参数 |
| object | 检测间隔,例如 |
Optional Fields
可选字段
| Field | Type | Description |
|---|---|---|
| array | Actions to run when conditions are met (each references a connector) |
| array | Tags for organizing rules |
| boolean | Whether the rule runs immediately (default: true) |
| string | |
| object | Alert only after N consecutive matches, e.g., |
| object/null | Override flapping detection settings |
| 字段名 | 类型 | 描述 |
|---|---|---|
| array | 条件满足时执行的动作列表(每个动作关联一个连接器) |
| array | 用于规则分类的标签 |
| boolean | 是否立即启用规则(默认值:true) |
| string | |
| object | 连续N次匹配后才触发告警,例如 |
| object/null | 覆盖默认的告警波动检测设置 |
Example: Create an Elasticsearch Query Rule
示例:创建Elasticsearch查询规则
bash
curl -X POST "https://my-kibana:5601/api/alerting/rule/my-rule-id" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "High error rate",
"rule_type_id": ".es-query",
"consumer": "stackAlerts",
"schedule": { "interval": "5m" },
"params": {
"index": ["logs-*"],
"timeField": "@timestamp",
"esQuery": "{\"query\":{\"match\":{\"log.level\":\"error\"}}}",
"threshold": [100],
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"size": 100
},
"actions": [
{
"id": "my-slack-connector-id",
"group": "query matched",
"params": {
"message": "Alert: {{rule.name}} - {{context.hits}} hits detected"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"tags": ["production", "errors"]
}'The same structure applies to other rule types — set the appropriate (e.g., ,
) and provide the matching object. Use to discover params schemas.
rule_type_id.index-threshold.es-queryparamsGET /api/alerting/rule_typesbash
curl -X POST "https://my-kibana:5601/api/alerting/rule/my-rule-id" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "高错误率告警",
"rule_type_id": ".es-query",
"consumer": "stackAlerts",
"schedule": { "interval": "5m" },
"params": {
"index": ["logs-*"],
"timeField": "@timestamp",
"esQuery": "{\"query\":{\"match\":{\"log.level\":\"error\"}}}",
"threshold": [100],
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"size": 100
},
"actions": [
{
"id": "my-slack-connector-id",
"group": "query matched",
"params": {
"message": "告警:{{rule.name}} - 检测到{{context.hits}}条匹配记录"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"tags": ["production", "errors"]
}'其他规则类型的请求结构类似——只需设置对应的(例如、)并提供匹配的对象。可通过查询各规则类型的参数 schema。
rule_type_id.index-threshold.es-queryparamsGET /api/alerting/rule_typesUpdating a Rule
更新规则
PUT /api/alerting/rule/{id}rule_type_idconsumer使用接口——需传入完整的规则体。和字段在创建后不可修改。
如果规则在你获取后被其他用户修改,请求会返回409 Conflict,此时需重新获取最新版本后重试。
PUT /api/alerting/rule/{id}rule_type_idconsumerFinding Rules
查询规则列表
bash
curl -X GET "https://my-kibana:5601/api/alerting/rules/_find?per_page=20&page=1&search=cpu&sort_field=name&sort_order=asc" \
-H "Authorization: ApiKey <your-api-key>"Query parameters: , , , , , , ,
, , , .
per_pagepagesearchdefault_search_operatorsearch_fieldssort_fieldsort_orderhas_referencefieldsfilterfilter_consumersUse the parameter with KQL syntax for advanced queries:
filtertext
filter=alert.attributes.tags:"production"bash
curl -X GET "https://my-kibana:5601/api/alerting/rules/_find?per_page=20&page=1&search=cpu&sort_field=name&sort_order=asc" \
-H "Authorization: ApiKey <your-api-key>"支持的查询参数:、、、、、、、、、、。
per_pagepagesearchdefault_search_operatorsearch_fieldssort_fieldsort_orderhas_referencefieldsfilterfilter_consumers可使用KQL语法的参数进行高级查询:
filtertext
filter=alert.attributes.tags:"production"Lifecycle Operations
生命周期管理操作
bash
undefinedbash
undefinedEnable
启用规则
curl -X POST ".../api/alerting/rule/{id}/_enable" -H "kbn-xsrf: true"
curl -X POST ".../api/alerting/rule/{id}/_enable" -H "kbn-xsrf: true"
Disable
禁用规则
curl -X POST ".../api/alerting/rule/{id}/_disable" -H "kbn-xsrf: true"
curl -X POST ".../api/alerting/rule/{id}/_disable" -H "kbn-xsrf: true"
Mute all alerts
静音所有告警事件
curl -X POST ".../api/alerting/rule/{id}/_mute_all" -H "kbn-xsrf: true"
curl -X POST ".../api/alerting/rule/{id}/_mute_all" -H "kbn-xsrf: true"
Mute specific alert
静音指定告警事件
curl -X POST ".../api/alerting/rule/{rule_id}/alert/{alert_id}/_mute" -H "kbn-xsrf: true"
curl -X POST ".../api/alerting/rule/{rule_id}/alert/{alert_id}/_mute" -H "kbn-xsrf: true"
Delete
删除规则
curl -X DELETE ".../api/alerting/rule/{id}" -H "kbn-xsrf: true"
undefinedcurl -X DELETE ".../api/alerting/rule/{id}" -H "kbn-xsrf: true"
undefinedTerraform Provider
Terraform 配置方式
Use the provider resource .
elasticstackelasticstack_kibana_alerting_rulehcl
terraform {
required_providers {
elasticstack = {
source = "elastic/elasticstack"
}
}
}
provider "elasticstack" {
kibana {
endpoints = ["https://my-kibana:5601"]
api_key = var.kibana_api_key
}
}
resource "elasticstack_kibana_alerting_rule" "cpu_alert" {
name = "CPU usage critical"
consumer = "stackAlerts"
rule_type_id = ".index-threshold"
interval = "1m"
enabled = true
params = jsonencode({
index = ["metrics-*"]
timeField = "@timestamp"
aggType = "avg"
aggField = "system.cpu.total.pct"
groupBy = "top"
termField = "host.name"
termSize = 10
threshold = [0.9]
thresholdComparator = ">"
timeWindowSize = 5
timeWindowUnit = "m"
})
tags = ["infrastructure", "production"]
}Key Terraform notes:
- must be passed as a JSON-encoded string via
paramsjsonencode() - Use data source or resource to reference connector IDs in actions
elasticstack_kibana_action_connector - Import existing rules: (use
terraform import elasticstack_kibana_alerting_rule.my_rule <space_id>/<rule_id>for the default space)default
使用 provider的资源。
elasticstackelasticstack_kibana_alerting_rulehcl
terraform {
required_providers {
elasticstack = {
source = "elastic/elasticstack"
}
}
}
provider "elasticstack" {
kibana {
endpoints = ["https://my-kibana:5601"]
api_key = var.kibana_api_key
}
}
resource "elasticstack_kibana_alerting_rule" "cpu_alert" {
name = "CPU使用率临界告警"
consumer = "stackAlerts"
rule_type_id = ".index-threshold"
interval = "1m"
enabled = true
params = jsonencode({
index = ["metrics-*"]
timeField = "@timestamp"
aggType = "avg"
aggField = "system.cpu.total.pct"
groupBy = "top"
termField = "host.name"
termSize = 10
threshold = [0.9]
thresholdComparator = ">"
timeWindowSize = 5
timeWindowUnit = "m"
})
tags = ["infrastructure", "production"]
}Terraform 关键注意事项:
- 必须通过
params以JSON编码字符串的形式传入jsonencode() - 可使用数据源或资源来引用动作中的连接器ID
elasticstack_kibana_action_connector - 导入已有规则:(默认空间使用
terraform import elasticstack_kibana_alerting_rule.my_rule <space_id>/<rule_id>)default
Triggering Kibana Workflows from Rules
通过规则触发Kibana工作流
Preview feature — available from Elastic Stack 9.3 and Elastic Cloud Serverless. APIs may change.
Attach a workflow as a rule action using the workflow ID as the connector ID. Set — alert context flows
automatically through the object inside the workflow.
params: {}eventbash
curl -X PUT "https://my-kibana:5601/api/alerting/rule/my-rule-id" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "High error rate",
"schedule": { "interval": "5m" },
"params": { ... },
"actions": [
{
"id": "<workflow-id>",
"group": "query matched",
"params": {},
"frequency": { "summary": false, "notify_when": "onActionGroupChange" }
}
]
}'In the UI: Stack Management > Rules > Actions > Workflows. Only workflows appear in the picker.
enabled: trueFor workflow YAML structure, context fields, step types, and patterns, refer to the
skill if available.
{{ event }}kibana-connectors预览功能 —— 从Elastic Stack 9.3和Elastic Cloud Serverless版本开始提供。API可能会发生变更。
将工作流作为规则动作关联,使用工作流ID作为连接器ID。设置——告警上下文会自动通过工作流中的对象传递。
params: {}eventbash
curl -X PUT "https://my-kibana:5601/api/alerting/rule/my-rule-id" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "高错误率告警",
"schedule": { "interval": "5m" },
"params": { ... },
"actions": [
{
"id": "<workflow-id>",
"group": "query matched",
"params": {},
"frequency": { "summary": false, "notify_when": "onActionGroupChange" }
}
]
}'在UI中操作路径:Stack Management > Rules > Actions > Workflows。仅的工作流会出现在选择器中。
enabled: true关于工作流YAML结构、上下文字段、步骤类型和模式,请参考技能文档(若可用)。
{{ event }}kibana-connectorsConnectors and Actions in Rules
规则中的连接器与动作
Each action references a connector by ID, an action , action (using Mustache templates), and a
per-action object. Key fields:
groupparamsfrequency- — which trigger state fires this action (e.g.,
group,"query matched"). Discover valid groups via"Recovered".GET /api/alerting/rule_types - —
frequency.summaryfor a digest of all alerts;truefor per-alert.false - —
frequency.notify_when|onActionGroupChange|onActiveAlert.onThrottleInterval - — minimum repeat interval (e.g.,
frequency.throttle); only applies with"10m".onThrottleInterval
For full reference on action structure, Mustache variables (, , ),
Mustache lambdas (, , ), recovery actions, and multi-channel patterns, refer to the
skill if available.
{{rule.name}}{{context.*}}{{alerts.new.count}}EvalMathFormatDateParseHjsonkibana-connectors每个动作通过ID引用连接器,包含动作、动作(使用Mustache模板)和每个动作专属的对象。关键字段说明:
groupparamsfrequency- —— 触发该动作的规则状态组(例如
group、"query matched")。可通过"Recovered"查询有效组名。GET /api/alerting/rule_types - ——
frequency.summary表示发送所有告警的汇总信息;true表示发送单条告警详情。false - ——
frequency.notify_when|onActionGroupChange|onActiveAlert。onThrottleInterval - —— 最小重复触发间隔(例如
frequency.throttle);仅在"10m"模式下生效。onThrottleInterval
关于动作结构、Mustache变量(、、)、Mustache lambda(、、)、恢复动作和多渠道模式的完整参考,请参考技能文档(若可用)。
{{rule.name}}{{context.*}}{{alerts.new.count}}EvalMathFormatDateParseHjsonkibana-connectorsBest Practices
最佳实践
-
Set action frequency per action, not per rule. Thefield at the rule level is deprecated in favor of per-action
notify_whenobjects. If you set it at the rule level and later edit the rule in the Kibana UI, it is automatically converted to action-level values.frequency -
Use alert summaries to reduce notification noise. Instead of sending one notification per alert, configure actions to send periodic summaries at a custom interval. Useand set a
"summary": trueinterval. This is especially valuable for rules that monitor many hosts or documents.throttle -
Choose the right action frequency for each channel. Usefor paging/ticketing systems (fire once, resolve once). Use
onActionGroupChangefor audit logging to an Index connector. UseonActiveAlertwith a throttle likeonThrottleIntervalfor dashboards or lower-priority notifications."30m" -
Always add a recovery action. Rules without a recovery action leave incidents open in PagerDuty, Jira, and ServiceNow indefinitely. Use the connector's native close/resolve event action (e.g.,for PagerDuty) in the
eventAction: "resolve"action group.Recovered -
Set a reasonable check interval. The minimum recommended interval is. Very short intervals across many rules clog Task Manager throughput and increase schedule drift. The server setting
1menforces this.xpack.alerting.rules.minimumScheduleInterval.value -
Useto suppress transient spikes. Setting
alert_delaymeans the alert only fires after 3 consecutive runs match the condition, filtering out brief anomalies.{"active": 3} -
Enable flapping detection. Alerts that rapidly switch between active and recovered are marked as "flapping" and notifications are suppressed. This is on by default but can be tuned per-rule with theobject.
flapping -
Usefor deep links. Set
server.publicBaseUrlinserver.publicBaseUrlso thatkibana.ymland{{rule.url}}variables resolve to valid URLs in notifications.{{kibanaBaseUrl}} -
Tag rules consistently. Use tags like,
production,stagingfor filtering and organization in the Find API and UI.team-platform -
Use Kibana Spaces to isolate rules by team or environment. Prefix API paths withfor non-default spaces. Connectors are also space-scoped, so create matching connectors in each space.
/s/<space_id>/
-
在动作级别配置触发频率,而非规则级别。规则级别的字段已被弃用,推荐使用动作级别的
notify_when对象。若你在规则级别设置了该字段,后续在Kibana UI中编辑规则时,系统会自动将其转换为动作级别的配置。frequency -
使用告警汇总减少通知噪音。不要为每条告警发送单独通知,可配置动作按自定义间隔发送周期性汇总信息。设置并指定
"summary": true间隔。这对于监控大量主机或文档的规则尤为重要。throttle -
为不同渠道选择合适的触发频率。对于告警/工单系统(如PagerDuty)使用(触发一次,恢复一次);对于索引连接器的审计日志使用
onActionGroupChange;对于仪表盘或低优先级通知,使用onActiveAlert并设置如onThrottleInterval的间隔。"30m" -
始终配置恢复动作。未配置恢复动作的规则会导致PagerDuty、Jira和ServiceNow中的事件无限期处于打开状态。在动作组中使用连接器的原生关闭/解决事件动作(例如PagerDuty的
Recovered)。eventAction: "resolve" -
设置合理的检测间隔。推荐的最小间隔为。过多规则使用过短的检测间隔会占用Task Manager的吞吐量,并增加调度延迟。服务器设置
1m会强制限制最小间隔。xpack.alerting.rules.minimumScheduleInterval.value -
使用抑制瞬时峰值。设置
alert_delay表示连续3次匹配条件后才触发告警,可过滤掉短暂的异常波动。{"active": 3} -
启用告警波动检测。频繁在活跃和恢复状态之间切换的告警会被标记为"flapping(波动)",并停止发送通知。该功能默认开启,也可通过对象为单个规则调整设置。
flapping -
设置以支持深度链接。在
server.publicBaseUrl中配置kibana.yml,确保通知中的server.publicBaseUrl和{{rule.url}}变量能解析为有效URL。{{kibanaBaseUrl}} -
统一规则标签规范。使用、
production、staging等标签,方便在查询API和UI中过滤和管理规则。team-platform -
使用Kibana空间隔离规则。按团队或环境使用Kibana空间隔离规则。对于非默认空间,需在API路径前添加。连接器同样是空间级别的资源,需在每个空间创建对应的连接器。
/s/<space_id>/
Common Pitfalls
常见陷阱
-
Missingheader. All POST, PUT, DELETE requests require
kbn-xsrfor any truthy value. Omitting it returns a 400 error.kbn-xsrf: true -
Wrongvalue. Using an invalid consumer (e.g.,
consumerinstead ofobservability) causes a 400 error. Check the rule type's supported consumers viainfrastructure.GET /api/alerting/rule_types -
Immutable fields on update. You cannot changeor
rule_type_idwith PUT. You must delete and recreate the rule.consumer -
Rule-leveland
notify_whenare deprecated. Setting these at the rule level still works but conflicts with action-level frequency settings. Always usethrottleinside each action object.frequency -
Rule ID conflicts. POST towith an existing ID returns 409. Either omit the ID to auto-generate, or check existence first.
/api/alerting/rule/{id} -
API key ownership. Rules run using the API key of the user who created or last updated them. If that user's permissions change or the user is deleted, the rule may fail silently. Useto re-associate.
_update_api_key -
Too many actions per rule. Rules generating thousands of alerts with multiple actions can clog Task Manager. The server setting(default varies) limits actions per run. Design rules to use alert summaries or limit term sizes.
xpack.alerting.rules.run.actions.max -
Long-running rules. Rules that run expensive queries are cancelled after(default
xpack.alerting.rules.run.timeout). When cancelled, all alerts and actions from that run are discarded. Optimize queries or increase the timeout for specific rule types.5m -
Concurrent update conflicts. PUT returns 409 if the rule was modified by another user since you last read it. Always GET the latest version before updating.
-
Import/export loses secrets. Rules exported via Saved Objects are disabled on import. Connectors lose their secrets and must be re-configured.
-
缺少请求头。所有POST、PUT、DELETE请求必须包含
kbn-xsrf或其他真值。缺少该头会返回400错误。kbn-xsrf: true -
值错误。使用无效的consumer值(例如用
consumer代替observability)会导致400错误。可通过infrastructure查询规则类型支持的consumer值。GET /api/alerting/rule_types -
更新时修改不可变字段。无法通过PUT请求修改或
rule_type_id字段,必须删除规则后重新创建。consumer -
规则级别的和
notify_when已弃用。在规则级别设置这些字段虽然仍能生效,但会与动作级别的频率配置冲突。请始终在每个动作对象内配置throttle。frequency -
规则ID冲突。使用已存在的ID向发送POST请求会返回409错误。可省略ID让系统自动生成,或先检查ID是否存在。
/api/alerting/rule/{id} -
API Key归属问题。规则会使用创建或最后更新该规则的用户的API Key运行。若该用户的权限变更或账号被删除,规则可能会静默失败。可使用重新关联API Key。
_update_api_key -
单条规则关联过多动作。生成大量告警且关联多个动作的规则会占用Task Manager资源。服务器设置(默认值随版本变化)限制单次运行的动作数量。建议设计规则时使用告警汇总或限制term大小。
xpack.alerting.rules.run.actions.max -
规则运行时间过长。执行复杂查询的规则会在(默认
xpack.alerting.rules.run.timeout)后被取消。规则被取消后,本次运行生成的所有告警和动作都会被丢弃。需优化查询或为特定规则类型增加超时时间。5m -
并发更新冲突。若规则在你获取后被其他用户修改,PUT请求会返回409错误。更新前请务必获取最新版本的规则。
-
导入/导出丢失敏感信息。通过Saved Objects导出的规则在导入后会被禁用,连接器会丢失敏感信息,需要重新配置。
Examples
示例场景
Create a threshold alert: "Alert me when CPU exceeds 90% on any host for 5 minutes." Use
, , , and .
Attach a PagerDuty action on and a matching action to auto-close incidents.
rule_type_id: ".index-threshold"aggField: "system.cpu.total.pct"threshold: [0.9]timeWindowSize: 5"threshold met"RecoveredFind rules by tag: "Show all production alerting rules." with
and to page through results.
GET /api/alerting/rules/_findfilter=alert.attributes.tags:"production"sort_field=namePause a rule temporarily: "Disable rule abc123 until next Monday." .
Re-enable with when ready; the rule retains all configuration while disabled.
POST /api/alerting/rule/abc123/_disable_enable创建阈值告警:"当任意主机的CPU使用率超过90%并持续5分钟时触发告警"。使用、、和。在组关联PagerDuty动作,并在组配置对应的恢复动作以自动关闭事件。
rule_type_id: ".index-threshold"aggField: "system.cpu.total.pct"threshold: [0.9]timeWindowSize: 5"threshold met"Recovered按标签查询规则:"显示所有生产环境的告警规则"。调用并携带和参数分页查询结果。
GET /api/alerting/rules/_findfilter=alert.attributes.tags:"production"sort_field=name临时暂停规则:"禁用规则abc123至下周一"。调用。需要恢复时调用接口;规则在禁用期间会保留所有配置。
POST /api/alerting/rule/abc123/_disable_enableGuidelines
操作指南
- Include on every POST, PUT, and DELETE; omitting it returns 400.
kbn-xsrf: true - Set inside each action object — rule-level
frequencyandnotify_whenare deprecated.throttle - and
rule_type_idare immutable after creation; delete and recreate the rule to change them.consumer - Prefix paths with for non-default Kibana Spaces.
/s/<space_id>/api/alerting/ - Always pair an active action with a action to auto-close PagerDuty, Jira, and ServiceNow incidents.
Recovered - Run first to discover valid
GET /api/alerting/rule_typesvalues and action group names.consumer - Use to suppress transient spikes; use the
alert_delayobject to reduce noise from unstable conditions.flapping
- 所有POST、PUT和DELETE请求必须包含;缺少该头会返回400错误。
kbn-xsrf: true - 在每个动作对象内配置——规则级别的
frequency和notify_when已被弃用。throttle - 和
rule_type_id在创建后不可修改;如需变更需删除并重新创建规则。consumer - 对于非默认Kibana空间,需在API路径前添加。
/s/<space_id>/api/alerting/ - 始终为活跃动作配对动作,以自动关闭PagerDuty、Jira和ServiceNow中的事件。
Recovered - 先调用查询有效的
GET /api/alerting/rule_types值和动作组名。consumer - 使用抑制瞬时峰值;使用
alert_delay对象减少不稳定场景下的噪音。flapping