A monitor is a job that runs on a defined schedule and queries Elasticsearch. The results are used as input for one or more triggers. You create monitors to specify the types of conditions that you want to watch as part of the alerting and notifications available within Kibana.

Creating a Monitor

To create a monitor:

1. In Analytics > Alerting, click the Monitors tab. The Monitors page opens.

2. Click Create monitor. The Create Monitor window opens.

3. Type a name for the monitor.
4. In the Monitor state field, you can select to disable the monitor if you are not yet ready to use it. The monitor must be enabled before it can take effect.
5. In the Method of definition field, select how to you want to define the monitor:

• Select Define using visual graph to create a monitor that watches for when a value is above or below a threshold for a period of time.
• Select Define using extraction query if you want more flexibility for the conditions that you want to query for (using the Elasticsearch query DSL) and how you evaluate the results of that query.

6. In the Select index field, select the ChaosSearch index view on which you are basing the monitor.
7. In Time field, which appears if you selected the visual graph option, select the column that you want to use for the time field.
8. In the Query performance field, review the query duration, and related information.
9. In the Monitor schedule section, select the frequency on which to run the query (such as By interval, Daily, Weekly, Monthly, or a Custom cron expression). Depending on the frequency option, the window displays more granular selection options.
10. Click Create to define the monitor.

Review the following sections for more details about the monitor options.

Defining an Extraction Query Monitor

If you select the option to Define using extraction query, as in the following example, the window updates to show new fields for the query.

Select the index view to monitor in the Index dropdown. The window updates to display two new fields. The left column Define extraction query allows you to define the extraction query, and the Extraction query response column on the right updates to show the relevant fields for the extraction query.

Click Run to populate the column on the right. The response in the right column produces the values from the selected index that could be added to the extraction that you are building in the left column.

📘

Tool Tip

When defining the extraction query, it is important to ensure the "match_all" query is correctly defined. Creation will not take effect unless it is properly set.

A sample match follows:

When the appropriate values have been added to the extraction query, click Create.

Define using a Visual Graph

If you select the option to Define using visual graph, as in the following example, the window updates to show new fields for the query.

Select the index view to monitor in the Index dropdown, then select the Time field to use for the query from one of the possible timestamp fields in the index view. The window updates to display a graph area, and populates the recent data for the graph.

If a visual graph does not appear, there may not be any values for the selected time period. The sample chart defaults to the last hour, but you might need to adjust that timeframe.