ELK is the abbreviation for (Elastic Search, Logstash, Kibana) which is a system that parses log data from one or more systems and displays the log data in a web console, used for Observability, Alerting, Logging, and Monitoring.
This assumes you are already familiar with the ELK REST API. If not, check out my article ELK (Elastic Search, Logstash, Kibana) - Getting Started with the REST API. In the console, let's say you have one or more Alerting Rules, perhaps something like this.
Here is an example of how to submit a GET request to return the current Alerts Rules in the default space using cURL.
curl
--request GET
--header "Authorization: ApiKey K8jd76md65MDpfm45GKHmx8d93mAKDdkz0339c8DMz9dj1kd0z2kdnFyZw==" \
--url https://elk.kb.us-east-1.aws.elastic-cloud.com/api/alerting/rules/_find
In this example, the Alerts Rules in the foo space will be returned.
curl
--request GET
--header "Authorization: ApiKey K8jd76md65MDpfm45GKHmx8d93mAKDdkz0339c8DMz9dj1kd0z2kdnFyZw==" \
--url https://elk.kb.us-east-1.aws.elastic-cloud.com/s/foo/api/alerting/rules/_find
By default, 10 results will be returned. per_page can be used to set the number of results that are returned per page.
curl
--request GET
--header "Authorization: ApiKey K8jd76md65MDpfm45GKHmx8d93mAKDdkz0339c8DMz9dj1kd0z2kdnFyZw==" \
--url https://elk.kb.us-east-1.aws.elastic-cloud.com/s/foo/api/alerting/rules/_find?per_page=100
Something like this should be returned.
"data": [
{
"actions": [
{
"connector_type_id": ".email",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": false,
"throttle": null
},
"group": "metrics.threshold.fired",
"id": "elastic-cloud-email",
"params": {
"message": "{{alertName}} - {{context.group}} is in a state of {{context.alertState}}\n\nReason:\n{{context.reason}}\n\n\n\n- Service name: {{context.serviceName}}\n- Environment: {{context.environment}}\n- Threshold: {{context.threshold}} errors\n- Triggered value: {{context.triggerValue}} errors over the last {{context.interval}}",
"subject": "Error Rate breach{{context.serviceName}}",
"to": [
"john.doe@example.com"
]
},
"uuid": "61570e61-44af-40de-a5e5-6d4ba6e73b69"
}
],
"api_key_created_by_user": false,
"api_key_owner": "john.doe@example.com",
"consumer": "alerts",
"created_at": "2023-08-04T15:37:10.295Z",
"created_by": "john.doe@example.com",
"enabled": false,
"execution_status": {
"last_duration": 5165,
"last_execution_date": "2023-08-08T22:28:58.055Z",
"status": "ok"
},
"id": "c6380ca0-32dc-11ee-be42-63f0a35e41b7",
"last_run": {
"alerts_count": {
"active": 0,
"ignored": 0,
"new": 0,
"recovered": 0
},
"outcome": "succeeded",
"outcome_msg": null,
"outcome_order": 0,
"warning": null
},
"mute_all": false,
"muted_alert_ids": [],
"name": "Error Rates KQL",
"next_run": "2023-08-08T22:33:57.993Z",
"notify_when": null,
"params": {
"alertOnGroupDisappear": false,
"alertOnNoData": false,
"criteria": [
{
"aggType": "custom",
"comparator": ">",
"customMetrics": [
{
"aggType": "count",
"filter": "http.response.status_code >= 500",
"name": "A"
},
{
"aggType": "count",
"filter": "http.response.status_code > 0",
"name": "B"
}
],
"equation": "(A / B) * 100",
"label": "Error Rate Breach",
"threshold": [
0.5
],
"timeSize": 12,
"timeUnit": "h"
}
],
"groupBy": [
"service.name"
],
"sourceId": "default"
},
"revision": 1,
"rule_type_id": "metrics.alert.threshold",
"running": false,
"schedule": {
"interval": "5m"
},
"scheduled_task_id": "c6380ca0-32dc-11ee-be42-63f0a35e41b7",
"tags": [],
"throttle": null,
"updated_at": "2023-08-08T22:30:31.099Z",
"updated_by": "john.doe@example.com"
}
],
"page": 1,
"per_page": 1,
"total": 1
}
And here is how to return a specific rule.
curl
--request GET
--header "Authorization: ApiKey K8jd76md65MDpfm45GKHmx8d93mAKDdkz0339c8DMz9dj1kd0z2kdnFyZw==" \
--url https://elk.kb.us-east-1.aws.elastic-cloud.com/s/foo/api/alerting/rule/5f5b0260-4c3d-11ee-9381-ef691e7c917d
Let's say you want to rename the rule and you have a file named payload.json that contains the following, with the new named for the Alert Rule.
{
"name": "NEW NAME",
"params": {
"search": "monitor.project.id : \"proof_of_concept\" AND monitor.name : *healthcheck*",
"numTimes": 1,
"timerangeUnit": "m",
"timerangeCount": 15,
"shouldCheckStatus": true,
"shouldCheckAvailability": false,
"availability": {
"range": 30,
"rangeUnit": "d",
"threshold": "99"
},
"stackVersion": "8.10.3"
},
"schedule": {
"interval": "1m"
}
}
Here is how you can update the rule.
curl \
--request PUT \
--header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
--header "kbn-xsrf: true" \
--header "Authorization: ApiKey K8jd76md65MDpfm45GKHmx8d93mAKDdkz0339c8DMz9dj1kd0z2kdnFyZw==" \
--url "https://elk.kb.us-east-1.aws.elastic-cloud.com/s/default/api/alerting/rule/5f5b0260-4c3d-11ee-9381-ef691e7c917d" \
--data @payload.json
Did you find this article helpful?
If so, consider buying me a coffee over at 