Elasticsearch OpenSearch Document-Level Alerting

By Opster Expert Team - Gustavo

Updated: Jun 28, 2023

| 3 min read

Quick link

OpenSearch document-level alerting: definition

What is document-level alerting in OpenSearch? 

Document-level alerting is a new OpenSearch feature that allows activities to be detected not only based on a query or an aggregation but also against documents at the moment they are indexed. So, instead of running an alert detection on a schedule, one or more queries are run against the document when it is ingested. 

Query and bucket monitors can only run a single query with one trigger condition. However, document-based monitors allow you to combine multiple query triggers via tags.

When you do that, all the queries are evaluated in an OR operation. So, if any of the queries are met, an alert will be triggered.

When an alert is triggered, a document is added to the “findings” index. It contains the document ID and the query that triggered the alert, thus allowing users to run audit operations against this meta index.

In this article, we will show you how to use document-level alerting in OpenSearch and how query-based alerts in Elasticsearch can achieve similar results.

NOTE: To create alerts in OpenSearch, you must have at least one Channel created. To learn how to set up an alerting Channel, you can read our article on the subject: OpenSearch Alerting – How to Set Up Alerting in OpenSearch (opster.com)

How to use document-level alerting

Let’s look at an example scenario to understand how to use document-level alerting in OpenSearch. 

In this scenario, we want to be notified every time a bitcoin sell action transaction is made. 

Step 1. Create the index:

PUT test_transactions
{
  "mappings": {
    "properties": {
      "action": {
        "type": "keyword"
      },
      "currency": {
        "type": "keyword"
      },
      "amount": {
        "type": "long"
      }
    }
  }
}

Step 2: Configure the alert. The way to do that is to go to Alerting -> Create monitor.

Step 2 to use document-level alerting: go to Alerting -> Create monitor.

Step 3. Set the basic details. We want to create a per document monitor and use the visual editor for the queries:

Step 3to use document-level alerting: Set the basic details

When setting the details, the key parts are the queries:  

Setting key parts are the queries when using document-level alerting in OpenSearch

And the triggers: 

Adding trigger details when using document-level alerting in OpenSearch

Step 4. Ingest some documents:

POST test_transactions/_doc
{
  "action": "sell",
  "amount": 100,
  "currency": "BTC",
}
POST test_transactions/_doc
{
  "action": "sell",
  "amount": 200,
  "currency": "CLP"
}

After some time, we will see the alert triggered by the first document we sent and the findings index for further analysis:

OpenSearch Dashboards showing he alert triggered by the first document sent and the findings index for further analysis:

Step 5: We must mark the alert as acknowledged to stop executing.

This is what the finding looks like:

Document findings examples of OpenSearch document level alerting.

And this is the alert we receive:

Monitor documents just entered alert status. Please investigate the issue.
  - Trigger: WH
  - Severity: 1
  - Period start: 2022-12-02T22:36:38.947738922Z
  - Period end: 2022-12-02T22:36:38.947740964Z

How to use query-based alerts in Elasticsearch

The way to achieve something similar with Elasticsearch is to use a query-based alert via Kibana Alert Rules. The limitation is a timestamp field that must be provided because the approach is not tracking the document but a query over time.

Step 1: Create the same index we created for OpenSearch in the example above:

PUT test_transactions
{
  "mappings": {
    "properties": {
      "action": {
        "type": "keyword"
      },
      "currency": {
        "type": "keyword"
      },
      "amount": {
        "type": "long"
      }
    }
  }
}

Step 2. Add the @timestamp field:

POST test_transactions/_doc
{
  "@timestamp": "2022-12-01T13:16:40.139Z",
  "action": "sell",
  "amount": 100,
  "currency": "BTC"
}
POST test_transactions/_doc
{
  "@timestamp": "2022-12-01T13:16:40.139Z",
  "action": "sell",
  "amount": 200,
  "currency": "CLP"
}

Step 3. Set up an index query rule:

Setting an index query rule example when using query-based alerts in Elasticsearch

Step 4: Add the following query:

{
 "query": {
   "bool": {
     "filter": [
       {
         "term": {
           "action": "sell"
         }
       },
       {
         "term": {
           "currency": "BTC"
         }
       }
     ]
   }
 }
}

Step 5: If we want to send one alert per finding, it is important to mark “Exclude matches from previous runs”.

After some time, you will see the alert triggered:

OpenSearch document level alert triggered.

Conclusion

Using document-level alerts, we can run one or more queries against a document at the moment that it is indexed and trigger an alert if it meets the conditions. This feature is very useful when we need to react to a document with specific field values, instead of an aggregation or the output of a query. 

Elasticsearch offers a different functionality via Kibana Alert Rules, which is focused on a group of documents (queries) and not an individual document.

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Related Articles

Back to all articles