The Alerting plugin exposes a REST API under the /_plugins/_alerting/ base path. This page summarizes the available endpoints. For full request/response schemas, see the OpenSearch Alerting API documentation .
Method Endpoint Description
POST/_plugins/_alerting/monitorsCreate a monitor
PUT/_plugins/_alerting/monitors/{id}Update a monitor
GET/_plugins/_alerting/monitors/{id}Get a monitor by ID
DELETE/_plugins/_alerting/monitors/{id}Delete a monitor
GET/_plugins/_alerting/monitors/_searchSearch monitors
POST/_plugins/_alerting/monitors/{id}/_executeExecute a monitor immediately
Method Endpoint Description
POST/_plugins/_alerting/workflowsCreate a workflow
PUT/_plugins/_alerting/workflows/{id}Update a workflow
GET/_plugins/_alerting/workflows/{id}Get a workflow by ID
DELETE/_plugins/_alerting/workflows/{id}Delete a workflow
POST/_plugins/_alerting/workflows/{id}/_executeExecute a workflow immediately
Method Endpoint Description
GET/_plugins/_alerting/alertsList alerts across all monitors
GET/_plugins/_alerting/workflows/{id}/alertsList alerts for a specific workflow
POST/_plugins/_alerting/monitors/{id}/_acknowledge/alertsAcknowledge one or more alerts
Method Endpoint Description
GET/_plugins/_alerting/findingsList findings from document-level monitors
Method Endpoint Description
POST/_plugins/_alerting/comments/{alertId}Add a comment to an alert
PUT/_plugins/_alerting/comments/{commentId}Update a comment
DELETE/_plugins/_alerting/comments/{commentId}Delete a comment
GET/_plugins/_alerting/comments/_searchSearch comments
Method Endpoint Description
GET/_plugins/_alerting/destinations/{id}Get a destination by ID
GET/_plugins/_alerting/destinations/_searchSearch destinations
Note: Destination management has been migrated to the Notifications plugin. Use the Notifications API (/_plugins/_notifications/) for creating and managing notification channels.
This example creates a monitor that checks every 5 minutes whether the number of error-level events in the last hour exceeds 100:
curl -sk -u admin:admin -X POST \
"https://localhost:9200/_plugins/_alerting/monitors" \
-H 'Content-Type: application/json' \
-d '{
"type": "monitor",
"name": "High error rate",
"monitor_type": "query_level_monitor",
"enabled": true,
"schedule": {
"period": {
"interval": 5,
"unit": "MINUTES"
}
},
"inputs": [
{
"search": {
"indices": ["wazuh-events-v5-*"],
"query": {
"size": 0,
"query": {
"bool": {
"filter": [
{ "range": { "@timestamp": { "gte": "now-1h" } } },
{ "term": { "event.severity": "error" } }
]
}
},
"aggs": {
"error_count": {
"value_count": { "field": "@timestamp" }
}
}
}
}
}
],
"triggers": [
{
"query_level_trigger": {
"name": "Error threshold exceeded",
"severity": "1",
"condition": {
"script": {
"source": "ctx.results[0].aggregations.error_count.value > 100",
"lang": "painless"
}
},
"actions": []
}
}
]
}'
curl -sk -u admin:admin -X POST \
"https://localhost:9200/_plugins/_alerting/monitors/{monitorId}/_acknowledge/alerts" \
-H 'Content-Type: application/json' \
-d '{
"alerts": ["alert-id-1", "alert-id-2"]
}'
curl -sk -u admin:admin -X POST \
"https://localhost:9200/_plugins/_alerting/monitors/{monitorId}/_execute"