diff --git a/docs/en/observability/images/metrics-alert-filters-and-group.png b/docs/en/observability/images/metrics-alert-filters-and-group.png index 07b421e78b..fcd3de7e5e 100644 Binary files a/docs/en/observability/images/metrics-alert-filters-and-group.png and b/docs/en/observability/images/metrics-alert-filters-and-group.png differ diff --git a/docs/en/observability/images/metrics-alert.png b/docs/en/observability/images/metrics-alert.png index ae9de5d614..31dce01205 100644 Binary files a/docs/en/observability/images/metrics-alert.png and b/docs/en/observability/images/metrics-alert.png differ diff --git a/docs/en/observability/metrics-threshold-alert.asciidoc b/docs/en/observability/metrics-threshold-alert.asciidoc index 2fa452525d..a740b5e088 100644 --- a/docs/en/observability/metrics-threshold-alert.asciidoc +++ b/docs/en/observability/metrics-threshold-alert.asciidoc @@ -34,29 +34,27 @@ In this example, the conditions state that you will receive a critical alert for [role="screenshot"] image::images/metrics-alert.png[Metric threshold alert] -When you select *Alert me if there's no data*, the rule is triggered if the metrics don't report any data over the -expected time period, or if the rule fails to query {es}. +When data stops being reported, you can still control how alerts behave. Refer to <> for more information. [discrete] [[filtering-and-grouping]] == Filtering and grouping + +The *Filters* control the scope of the rule. If used, the rule will only evaluate metric data that matches the query in this field. In this example, the rule will only alert on metrics reported from a Cloud region called `us-east`. + [role="screenshot"] image::images/metrics-alert-filters-and-group.png[Metric threshold filter and group fields] -The *Filters* control the scope of the rule. If used, the rule will only evaluate metric data that matches the query in this field. In this example, the rule will only alert on metrics reported from a Cloud region called `us-east`. +When data stops being reported, you can still control how alerts behave. Refer to <> for more information. [NOTE] ===== If you've made a rule with the https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-alerting-rule-id[create rule API] and added Query DSL filters using the `filterQuery` parameter, the filters won't appear in the UI for editing a rule. As a workaround, manually re-add the filters through the UI and save the rule. As you're modifying the rule's filters from the UI, be mindful of the following: - -- The **Filter** field only accepts KQL syntax, meaning you may need to manually convert your Query DSL filters to KQL. -- After you save the rule, filters you've added to the **Filter** field are converted appropriately and specified in the rule's `filterQuery` parameter. - ===== -The *Group alerts by* creates an instance of the alert for every unique value of the `field` added. For example, you can create a rule per host or every mount point of each host. You can also add multiple fields. In this example, the rule will individually track the status of each `host.name` in your infrastructure. You will only receive an alert about `host-1`, if `host.name: host-1` passes the threshold, but `host-2` and `host-3` do not. +- The **Filter** field only accepts KQL syntax, meaning you may need to manually convert your Query DSL filters to KQL. After you save the rule, filters you've added to the **Filter** field are converted appropriately and specified in the rule's `filterQuery` parameter. -When you select *Alert me if a group stops reporting data*, the rule is triggered if a group that previously reported metrics does not report them again over the expected time period. +- The *Group alerts by* creates an instance of the alert for every unique value of the `field` added. For example, you can create a rule per host or every mount point of each host. You can also add multiple fields. In this example, the rule will individually track the status of each `host.name` in your infrastructure. You will only receive an alert about `host-1`, if `host.name: host-1` passes the threshold, but `host-2` and `host-3` do not. [IMPORTANT] ============================================== @@ -66,6 +64,20 @@ If you include the same field in both your **Filter** and your **Group by**, you In the *Advanced options*, you can change the number of consecutive runs that must meet the rule conditions before an alert occurs. The default value is `1`. +[discrete] +[[if-there-is-no-data]] +== If there is no data + +In the **If there is no data** area, you can control how alerts behave when data stops being reported. + +You can select one of the following options: + +* **Recover active alerts**: Recover active alerts when data is missing; no new alerts are created. +* **Alert me about the missing data** + ** If **Group alerts by** is used: Trigger a “no data” alert when a previously detected group stops reporting data; not recommended for dynamically scaling infrastructures that start and stop nodes automatically. + ** If **Group alerts by** is not used: Trigger a “no data” alert when no data is returned during rule execution or when the rule fails to query {es}. +* **Do nothing**: Keep active alerts unchanged and do not create new alerts for missing data. + [discrete] [[action-types-metrics]] == Action types