|
1 | 1 | [[view-alerts]] |
2 | | -== View alerts |
| 2 | +== View and manage alerts |
3 | 3 | :frontmatter-description: View and manage alerts in the {kib} {stack-manage-app} app. |
4 | 4 | :frontmatter-tags-products: [kibana, alerting] |
5 | 5 | :frontmatter-tags-content-type: [how-to] |
@@ -81,3 +81,46 @@ In both *{stack-manage-app} > Alerts* and *{rules-ui}*, you can open the action |
81 | 81 | To permanently suppress actions for an alert, open the actions menu and select *Mark as untracked*. |
82 | 82 |
|
83 | 83 | To affect the behavior of the rule rather than individual alerts, check out <<controlling-rules>>. |
| 84 | + |
| 85 | +[discrete] |
| 86 | +[[clean-up-alerts]] |
| 87 | +=== Clean up alerts |
| 88 | + |
| 89 | +Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by running an alert cleanup task, which deletes alerts according to the criteria that you define. |
| 90 | + |
| 91 | +NOTE: The alert cleanup task permanently deletes alerts in your `.alert-*` indices. Make sure to take regular snapshots of your cluster to back up your alert data in case you ever need to restore it. |
| 92 | + |
| 93 | +[discrete] |
| 94 | +[[clean-up-alerts-reqs]] |
| 95 | +==== Prerequisites |
| 96 | + |
| 97 | +* To run the alert cleanup task, your role must have `All` privileges for the **Alert deletion feature**. When setting your role's Kibana privileges, go to **Management > Rule Settings**, enable **Customize sub-feature privileges**, then select `All` for the **Alert deletion** feature. |
| 98 | +* Alerts in your space must be older than a day. The minimum threshold for the alert cleanup task is one day. |
| 99 | + |
| 100 | +[discrete] |
| 101 | +[[run-alert-clean-up-task]] |
| 102 | +==== Run the alert cleanup task |
| 103 | + |
| 104 | +preview::[] |
| 105 | + |
| 106 | +Remove old or rarely-accessed alerts in your space by running an alert cleanup task, which deletes alerts according to the criteria that you define. Alerts that are attached to cases are not deleted. |
| 107 | + |
| 108 | +. Open the **Rules** page by going to **Stack Management > Alerts and Insights > Rules** in the main menu or using the global search field. |
| 109 | +. Click **Settings** to open the settings for all rules in the space. |
| 110 | +. In the **Clean up alert history** section, click **Clean up**. |
| 111 | +. Define criteria for the alert cleanup task. You can choose to delete alerts that are active or inactive and meet a certain age. |
| 112 | ++ |
| 113 | +TIP: At the bottom of the modal, you can find a preview of the number of alerts that will be deleted according to the criteria that you define. |
| 114 | ++ |
| 115 | + |
| 116 | +** **Active alerts**: Choose to delete alerts that haven't had their status changed since they were initially generated and are older than the threshold that you specify. |
| 117 | ++ |
| 118 | +For example, if you specify two years as the threshold, the cleanup task will delete alerts that were generated more than two years ago and have never had their status changed. |
| 119 | ++ |
| 120 | +** **Inactive alerts**: Choose to delete alerts that have had their statuses changed since they were initially created and are older than the threshold that you specify. Inactive alerts have had their status changed to recovered, closed, acknowledged, or untracked. |
| 121 | ++ |
| 122 | +For example, if you specify two years, the cleanup task will delete alerts that have had their status changed to recovered, closed, acknowledged, or untracked more than two years ago. |
| 123 | + |
| 124 | +. Enter **Delete** to verify that you want to run the alert cleanup task, then click **Run cleanup task**. |
| 125 | + |
| 126 | +A message confirming that the alert cleanup task has started running appears. This information is also provided at the top of the alert cleanup modal in the **Last cleanup task: details** field. Note the field doesn't display in the modal until an alert cleanup task is run. |
0 commit comments