Docs
Elastic Cloud Documentation » Plugins » Alerting (formerly Watcher)
«  Using Scripts    

Alerting (formerly Watcher)

Alerting lets you take action based on changes in your data. It is designed around the principle that, if you can query something in Elasticsearch, you can alert on it. Simply define a query, condition, schedule, and the actions to take, and Alerting will do the rest.

Tip

In Elasticsearch 5.0, Watcher was renamed to Alerting. If you’re using a version of Elasticsearch before 5.0, think Watcher every time you read about Alerting.

To learn more about Alerting and how to use it, see Watcher - Alerting & Notification (version 5.0 and later) or Elasticsearch Watcher (all versions before 5.0).

Enable Alerting

Alerting (formerly Watcher) is a plugin available to Gold and Platinum subscriptions that you can enable when configuring your cluster, available for clusters with version 1.7.2 or higher.

You can run Alerting on a separate cluster from the cluster whose data you are actually watching.

To run Alerting on a cluster, you also need to:

  • Enable the auto_create_index setting
  • Enable dynamic scripts for most uses of Alerting
  • Use authentication

Send Alerts by Email

Alerting can send alerts by email.

To send alerts by email:

  1. Go to the Elastic Cloud email settings.

  2. Enter a recipient to be whitelisted under Watcher Whitelist and click Request Whitelisting.

    An email is sent to the email address.

  3. The recipient must acknowledge the request by clicking Whitelist Email in the email.

    After the whitelist request is acknowledged, you are able to send alerts to the recipient address by email.

For more information on sending alerts by email, see Actions.

Restrictions

Some restrictions exist:

  • Changing the default throttle period is not possible. You can specify a throttle period per watch, however.
  • You cannot use your own SMTP server. All emails are sent through our servers, and the recipient must be whitelisted.

Advanced Usage

Slack, HipChat, and PagerDuty Integration

Under the hood, Alerting is configured via elasticsearch.yml. If you want to customize your Alerting settings, you can provide custom elasticsearch.yml snippet which is appended to your configuration.

To provide the custom snippet you can use the console User Settings section under the cluster configuration.

For example if you want to use the Slack integration:

Advanced Alerting configuration
«  Using Scripts