Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

API Reference

The Alerting plugin exposes a REST API under the /_plugins/_alerting/ base path. This page summarizes the available endpoints. For full request/response schemas, see the OpenSearch Alerting API documentation.

Endpoint Summary

Monitors

MethodEndpointDescription
POST/_plugins/_alerting/monitorsCreate a monitor
PUT/_plugins/_alerting/monitors/{id}Update a monitor
GET/_plugins/_alerting/monitors/{id}Get a monitor by ID
DELETE/_plugins/_alerting/monitors/{id}Delete a monitor
GET/_plugins/_alerting/monitors/_searchSearch monitors
POST/_plugins/_alerting/monitors/{id}/_executeExecute a monitor immediately

Workflows

MethodEndpointDescription
POST/_plugins/_alerting/workflowsCreate a workflow
PUT/_plugins/_alerting/workflows/{id}Update a workflow
GET/_plugins/_alerting/workflows/{id}Get a workflow by ID
DELETE/_plugins/_alerting/workflows/{id}Delete a workflow
POST/_plugins/_alerting/workflows/{id}/_executeExecute a workflow immediately

Alerts

MethodEndpointDescription
GET/_plugins/_alerting/alertsList alerts across all monitors
GET/_plugins/_alerting/workflows/{id}/alertsList alerts for a specific workflow
POST/_plugins/_alerting/monitors/{id}/_acknowledge/alertsAcknowledge one or more alerts

Findings

MethodEndpointDescription
GET/_plugins/_alerting/findingsList findings from document-level monitors

Comments

MethodEndpointDescription
POST/_plugins/_alerting/comments/{alertId}Add a comment to an alert
PUT/_plugins/_alerting/comments/{commentId}Update a comment
DELETE/_plugins/_alerting/comments/{commentId}Delete a comment
GET/_plugins/_alerting/comments/_searchSearch comments

Destinations (Legacy)

MethodEndpointDescription
GET/_plugins/_alerting/destinations/{id}Get a destination by ID
GET/_plugins/_alerting/destinations/_searchSearch destinations

Note: Destination management has been migrated to the Notifications plugin. Use the Notifications API (/_plugins/_notifications/) for creating and managing notification channels.

Examples

Create a Query-Level Monitor

This example creates a monitor that checks every 5 minutes whether the number of error-level events in the last hour exceeds 100:

curl -sk -u admin:admin -X POST \
  "https://localhost:9200/_plugins/_alerting/monitors" \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "monitor",
    "name": "High error rate",
    "monitor_type": "query_level_monitor",
    "enabled": true,
    "schedule": {
      "period": {
        "interval": 5,
        "unit": "MINUTES"
      }
    },
    "inputs": [
      {
        "search": {
          "indices": ["wazuh-events-v5-*"],
          "query": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  { "range": { "@timestamp": { "gte": "now-1h" } } },
                  { "term": { "event.severity": "error" } }
                ]
              }
            },
            "aggs": {
              "error_count": {
                "value_count": { "field": "@timestamp" }
              }
            }
          }
        }
      }
    ],
    "triggers": [
      {
        "query_level_trigger": {
          "name": "Error threshold exceeded",
          "severity": "1",
          "condition": {
            "script": {
              "source": "ctx.results[0].aggregations.error_count.value > 100",
              "lang": "painless"
            }
          },
          "actions": []
        }
      }
    ]
  }'

Acknowledge Alerts

curl -sk -u admin:admin -X POST \
  "https://localhost:9200/_plugins/_alerting/monitors/{monitorId}/_acknowledge/alerts" \
  -H 'Content-Type: application/json' \
  -d '{
    "alerts": ["alert-id-1", "alert-id-2"]
  }'

Execute a Monitor On-Demand

curl -sk -u admin:admin -X POST \
  "https://localhost:9200/_plugins/_alerting/monitors/{monitorId}/_execute"