From d69f01e73de023f641a60b74ea0e0af6ec625c44 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 11:14:12 -0700 Subject: [PATCH 01/16] for additional information about findings index and search API Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 107 +++++++++++++++++++---- _monitoring-plugins/alerting/monitors.md | 9 +- 2 files changed, 98 insertions(+), 18 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 2d814380..01d0b4bd 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -518,6 +518,49 @@ You can combine multiple queries in a per document monitor by adding a tag to ea For more information about document-level monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). +OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. + +### Search for monitor findings + +You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request to the findings resource: + +```json +GET /_plugins/_alerting/findings/_search? +``` +The response returns all findings available. + +To retrieve metadata for an individual document finding entry, you can search for the finding by its `findingId` as follows: + +```json +GET /_plugins/_alerting/findings/_search?findingId=gKQhj8WJit3BxjGfiOXC +``` + +The response returns the number of individual finding entries in the `total_findings` field. + +To get more specific results in a findings search, you can use the path parameters defined in the following table: + +Path parameter name | Description | Usage +:--- | :--- : :--- +`findingId` | The identifier for the finding entry. | This is returned in the initial query response. +`sortString` | This field sorts the finding. | Default value is `id`. +`sortOrder` | The order to sort the list of findings, either ascending or descending. | Use `sortOrder=asc` to indicate ascending, or `sortOrder=desc` for descending. +`size` | The maximum number of results to retrieve. | Can be any integer. +`startIndex` | The pagination indicator. | Default is `0`. +`searchString` | The finding attributes that you can specify in the search. | + +### How to define a trigger + +A trigger is a conditional statement that you define. When the condition is met by a monitor query, then the monitor generates the alert notification. + +You can define triggers based on a query name, query ID, or a tag name. The following table shows the syntax to use for each trigger option: + +Trigger type | Definition | Syntax +:--- | :--- : :--- +Tag | Creates alerts for documents that match a unique tag. | query[tag=] +Query | Creates alerts for documents that match a query name. | query[name=] +Unique query | Creates alerts for documents that match a unique query. | query[id=] + + #### Sample request The following sample shows how to create a per document monitor: @@ -527,9 +570,8 @@ POST _plugins/_alerting/monitors { "type": "monitor", "monitor_type": "doc_level_monitor", - "name": "iad-monitor", + "name": "Example per document monitor", "enabled": true, - "createdBy": "chip", "schedule": { "period": { "interval": 1, @@ -539,26 +581,36 @@ POST _plugins/_alerting/monitors "inputs": [ { "doc_level_input": { - "description": "windows-powershell", + "description": "Example per document monitor for audit logs", "indices": [ - "test-logs" + "audit-logs" ], "queries": [ - { - "id": "sigma-123", + { + "id": "nKQnFYABit3BxjGfiOXC", + "name": "sigma-123", "query": "region:\"us-west-2\"", "tags": [ - "MITRE:8500" - ], - }, - { - "id": "sigma-456", + "tag1" + ] + }, + { + "id": "gKQnABEJit3BxjGfiOXC", + "name": "sigma-456", "query": "region:\"us-east-1\"", "tags": [ - "MITRE:8600" - ], - } - ] + "tag2" + ] + }, + { + "id": "h4J2ABEFNW3vxjGfiOXC", + "name": "sigma-789", + "query": "message:\"This is a SEPARATE error from IAD region\"", + "tags": [ + "tag3" + ] + } + ] } } ], @@ -567,13 +619,34 @@ POST _plugins/_alerting/monitors "severity": "1", "condition": { "script": { - "source": "'sigma-123' && !'sigma-456'", + "source": "(query[name=sigma-123] || query[tag=tag3]) && query[name=sigma-789]", "lang": "painless" } }, - "actions": [] + "actions": [ + { + "name": "test-action", + "destination_id": "E4o5hnsB6KjPKmHtpfCA", + "message_template": { + "source": """Monitor just entered alert status. Please investigate the issue. Related Finding Ids: {{ctx.alerts.0.finding_ids}}, Related Document Ids: {{ctx.alerts.0.related_doc_ids}}""", + "lang": "mustache" + }, + "action_execution_policy": { + "action_execution_scope": { + "per_alert": { + "actionable_alerts": [] + } + } + }, + "subject_template": { + "source": "The Subject", + "lang": "mustache" + } + } + ] }}] } + ``` ### Limitations diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index 72ebf41d..0c9f1fc8 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -30,10 +30,17 @@ The Alerting plugin also creates a list of document findings data that contains The following metadata is provided for each document finding entry: -* **Document** – The document ID and index name. +* **Document** – The document ID and index name. For example: Re5akdirhj3fl | test-logs-index. * **Query** – The query name that matched the document. * **Time found** – The timestamp that indicates when the document was found during the runtime. +### Document findings + +When a per document monitor executes a query that matches a document in an index, a finding is created. + +It is possible to configure an alert notification for each finding, however we don't recommend this unless rules are well defined to prevent a huge volume of findings in a high ingestion cluster. + + ## Key terms Term | Definition From 68bcb49213684b2b10e210626c6b2367af02ea37 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 12:36:38 -0700 Subject: [PATCH 02/16] additional updates for Alerting API Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 24 +++++++++++------------- _monitoring-plugins/alerting/monitors.md | 22 +++++++++++++--------- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 01d0b4bd..d90e69a1 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -7,7 +7,7 @@ nav_order: 15 # Alerting API -Use the alerting API to programmatically manage monitors and alerts. +Use the Alerting API to programmatically create, update and manage monitors and alerts. --- @@ -18,11 +18,11 @@ Use the alerting API to programmatically manage monitors and alerts. --- -## Create query-level monitor +## Create a per query monitor Introduced 1.0 {: .label .label-purple } -Query-level monitors run the query and check whether the results should trigger any alerts. As such, query-level monitors can only trigger one alert at a time. For more information about query-level monitors versus bucket-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). +Per query monitors run the query and check whether the results should trigger any alerts. As such, per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). #### Request @@ -250,15 +250,15 @@ For a full list of timezone names, refer to [Wikipedia](https://en.wikipedia.org --- -## Create bucket-level monitor +## Create a per bucket monitor -Bucket-level monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about bucket-level monitors versus query-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). +Per bucket monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about per bucket and per query monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). ```json POST _plugins/_alerting/monitors { "type": "monitor", - "name": "test-bucket-level-monitor", + "name": "Demo per bucket monitor", "monitor_type": "bucket_level_monitor", "enabled": true, "schedule": { @@ -379,7 +379,7 @@ POST _plugins/_alerting/monitors "monitor" : { "type" : "monitor", "schema_version" : 4, - "name" : "test-bucket-level-monitor", + "name" : "Demo a per bucket monitor", "monitor_type" : "bucket_level_monitor", "user" : { "name" : "", @@ -508,17 +508,15 @@ POST _plugins/_alerting/monitors } } ``` -## Create a document-level monitor +## Create a per document monitor Introduced 2.0 {: .label .label-purple } -You can create a document-level monitor programmatically that functions the same as a per document monitor in OpenSearch Dashboards. The document-level monitor runs a query that checks whether or not the results should trigger an alert notification based on individual documents within an index. +You can create a per document monitor programmatically that functions the same as a per document monitor in OpenSearch Dashboards. The per document monitor allows you to generate an alert on individual documents in an index. It runs a query that checks whether or not the results should trigger an alert notification based on individual documents within an index. This is the only monitor that allows document-level alerting. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. -For more information about document-level monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). - -OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. +For more information about per document monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). ### Search for monitor findings @@ -651,7 +649,7 @@ POST _plugins/_alerting/monitors ### Limitations -If you run a document-level query while the index is getting reindexed, the results will not return the reindexed results. You would need to run the query again to get the updates. +If you run a per document query while the index is getting reindexed, the results will not return the reindexed results. You would need to run the query again to get the updates. {: .tip} ## Update monitor diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index 0c9f1fc8..0b9759a0 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -22,21 +22,24 @@ The OpenSearch Dashboard Alerting plugin provides four monitor types: * **per cluster metrics** – This monitor runs API requests on the cluster to monitor its health. * **per document** – This monitor runs a query (or multiple queries combined by a tag) that returns individual documents that match the alert notification trigger condition. -### More about per document monitors +## Per document monitors + +Introduced 2.0 +{: .label .label-purple } The per query and per bucket monitors can only take a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding a tag to the queries. Then you can add the tag as a single trigger condition instead of specifying a single query. The Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the query conditions are met, it generates the alert notification. -The Alerting plugin also creates a list of document findings data that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes. - -The following metadata is provided for each document finding entry: - -* **Document** – The document ID and index name. For example: Re5akdirhj3fl | test-logs-index. -* **Query** – The query name that matched the document. -* **Time found** – The timestamp that indicates when the document was found during the runtime. +The Alerting plugin also creates a list of document findings that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes. ### Document findings -When a per document monitor executes a query that matches a document in an index, a finding is created. +When a per document monitor executes a query that matches a document in an index, a finding is created. OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. You can search the findings index with the Alerting API. To learn more, see [Search for monitor findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#search-for-monitor-findings). + +The following metadata is provided for each document finding entry: + +* **Document** – The document ID and index name. For example: `Re5akdirhj3fl | test-logs-index`. +* **Query** – The query name that matched the document. +* **Time found** – The timestamp that indicates when the document was found during the runtime. It is possible to configure an alert notification for each finding, however we don't recommend this unless rules are well defined to prevent a huge volume of findings in a high ingestion cluster. @@ -51,6 +54,7 @@ Tag | A label that can be applied to multiple queries to combine them with the l Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification. Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook. +Finding | An entry for an individual document found by a per document monitor query that contains the Document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. --- From 8dc16205fad6ea8834bf08e628df1852aba46fe4 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 12:58:08 -0700 Subject: [PATCH 03/16] clarify search monitor API example Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 31 ++++++++++++++++------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index d90e69a1..4990142a 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -24,7 +24,7 @@ Introduced 1.0 Per query monitors run the query and check whether the results should trigger any alerts. As such, per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). -#### Request +#### Sample Request ```json POST _plugins/_alerting/monitors @@ -508,11 +508,11 @@ POST _plugins/_alerting/monitors } } ``` -## Create a per document monitor +## Per document monitors Introduced 2.0 {: .label .label-purple } -You can create a per document monitor programmatically that functions the same as a per document monitor in OpenSearch Dashboards. The per document monitor allows you to generate an alert on individual documents in an index. It runs a query that checks whether or not the results should trigger an alert notification based on individual documents within an index. This is the only monitor that allows document-level alerting. +The per document monitor generates an alert based on an individual document in an index. A per document monitor query checks whether or not the results should trigger an alert notification based on trigger conditions that match individual documents within an index. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. @@ -537,16 +537,20 @@ The response returns the number of individual finding entries in the `total_find To get more specific results in a findings search, you can use the path parameters defined in the following table: -Path parameter name | Description | Usage +Path parameter | Description | Usage :--- | :--- : :--- -`findingId` | The identifier for the finding entry. | This is returned in the initial query response. -`sortString` | This field sorts the finding. | Default value is `id`. -`sortOrder` | The order to sort the list of findings, either ascending or descending. | Use `sortOrder=asc` to indicate ascending, or `sortOrder=desc` for descending. +`findingId` | The identifier for the finding entry. | The finding ID is returned in the initial query response. +`sortString` | This field sorts the finding. | The default value is `id`. +`sortOrder` | The order to sort the list of findings, either ascending or descending. | Use `sortOrder=asc` to indicate ascending, or `sortOrder=desc` for descending sort order. `size` | The maximum number of results to retrieve. | Can be any integer. `startIndex` | The pagination indicator. | Default is `0`. -`searchString` | The finding attributes that you can specify in the search. | +`searchString` | The finding attribute you want returned in the search. | You might want to search findings for a specific index, provide `searchString=indexABC'. -### How to define a trigger + + +### Create a per document monitor + +#### How to define a trigger A trigger is a conditional statement that you define. When the condition is met by a monitor query, then the monitor generates the alert notification. @@ -554,12 +558,11 @@ You can define triggers based on a query name, query ID, or a tag name. The foll Trigger type | Definition | Syntax :--- | :--- : :--- -Tag | Creates alerts for documents that match a unique tag. | query[tag=] -Query | Creates alerts for documents that match a query name. | query[name=] -Unique query | Creates alerts for documents that match a unique query. | query[id=] +Tag | Creates alerts for documents that match a unique tag. | `query[tag=]` +Query | Creates alerts for documents that match a query name. | `query[name=]` +Unique query | Creates alerts for documents that match a unique query. | `query[id=]` - -#### Sample request +#### Sample Request The following sample shows how to create a per document monitor: From a83d2408ec1579e0a4b145ada3d49615ea8d664d Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 13:00:37 -0700 Subject: [PATCH 04/16] key terms to top of page Signed-off-by: alicejw --- _monitoring-plugins/alerting/monitors.md | 25 ++++++++++++------------ 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index 0b9759a0..0d459a77 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -22,6 +22,18 @@ The OpenSearch Dashboard Alerting plugin provides four monitor types: * **per cluster metrics** – This monitor runs API requests on the cluster to monitor its health. * **per document** – This monitor runs a query (or multiple queries combined by a tag) that returns individual documents that match the alert notification trigger condition. +## Key terms + +Term | Definition +:--- | :--- +Monitor | A job that runs on a defined schedule and queries OpenSearch indexes. The results of these queries are then used as input for one or more *triggers*. +Trigger | Conditions that, if met, generate *alerts*. +Tag | A label that can be applied to multiple queries to combine them with the logical OR operation in a per document monitor. You can't use tags with other monitor types. +Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification. +Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. +Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook. +Finding | An entry for an individual document found by a per document monitor query that contains the Document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. + ## Per document monitors Introduced 2.0 @@ -43,19 +55,6 @@ The following metadata is provided for each document finding entry: It is possible to configure an alert notification for each finding, however we don't recommend this unless rules are well defined to prevent a huge volume of findings in a high ingestion cluster. - -## Key terms - -Term | Definition -:--- | :--- -Monitor | A job that runs on a defined schedule and queries OpenSearch indexes. The results of these queries are then used as input for one or more *triggers*. -Trigger | Conditions that, if met, generate *alerts*. -Tag | A label that can be applied to multiple queries to combine them with the logical OR operation in a per document monitor. You can't use tags with other monitor types. -Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification. -Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. -Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook. -Finding | An entry for an individual document found by a per document monitor query that contains the Document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. - --- ## Create destinations From f9107ad07be735435c2a86f0fa9ed2c539c8442b Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 14:02:23 -0700 Subject: [PATCH 05/16] for rewrites Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 4990142a..0c7e282d 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -512,9 +512,17 @@ POST _plugins/_alerting/monitors Introduced 2.0 {: .label .label-purple } -The per document monitor generates an alert based on an individual document in an index. A per document monitor query checks whether or not the results should trigger an alert notification based on trigger conditions that match individual documents within an index. +Per document monitors check whether or not individual documents in an index should trigger an alert. You can create trigger conditions based on query names, query IDs, or tags. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. -You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. +You can define triggers based on a query name, query ID, or a tag name. The following table shows the syntax to use for each trigger option: + +When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. + +Trigger options | Definition | Syntax +:--- | :--- : :--- +Tag | Creates alerts for documents that match a muliple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` +Query by name | Creates alerts for documents matched or returned by the named query. | `query[name=]` +Query by ID | Creates alerts for documents that were returned by the identified query. | `query[id=]` For more information about per document monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). @@ -550,18 +558,6 @@ Path parameter | Description | Usage ### Create a per document monitor -#### How to define a trigger - -A trigger is a conditional statement that you define. When the condition is met by a monitor query, then the monitor generates the alert notification. - -You can define triggers based on a query name, query ID, or a tag name. The following table shows the syntax to use for each trigger option: - -Trigger type | Definition | Syntax -:--- | :--- : :--- -Tag | Creates alerts for documents that match a unique tag. | `query[tag=]` -Query | Creates alerts for documents that match a query name. | `query[name=]` -Unique query | Creates alerts for documents that match a unique query. | `query[id=]` - #### Sample Request The following sample shows how to create a per document monitor: From a2b0e8ecd66ec3d45142465a01fc78ae6afb51e4 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 14:09:19 -0700 Subject: [PATCH 06/16] for per doc monitor API description Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 0c7e282d..0450deed 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -558,6 +558,9 @@ Path parameter | Description | Usage ### Create a per document monitor +You can create a per document monitor by calling the `monitors` resource and providing the monitor details in the body of the request. +At a minimum, you need to provide the following details: specify the queries or combinations by tag with the `inputs` field, a valid trigger condition, and provide the notification message in the `action` field. + #### Sample Request The following sample shows how to create a per document monitor: From 6778dc60139e5b4c053ab5feae224653f0e5c197 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 14:22:26 -0700 Subject: [PATCH 07/16] final update Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 0450deed..2adaedc6 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -512,12 +512,10 @@ POST _plugins/_alerting/monitors Introduced 2.0 {: .label .label-purple } -Per document monitors check whether or not individual documents in an index should trigger an alert. You can create trigger conditions based on query names, query IDs, or tags. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. +Per document monitors check whether or not individual documents in an index match trigger conditions to generate an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. You can define triggers based on a query name, query ID, or a tag name. The following table shows the syntax to use for each trigger option: -When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. - Trigger options | Definition | Syntax :--- | :--- : :--- Tag | Creates alerts for documents that match a muliple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` From 6f35e155ad0c4c7edfe113c2c3b4b7f046e42c35 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 14:25:04 -0700 Subject: [PATCH 08/16] clarity/concise intro Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 2adaedc6..0ecdd28d 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -512,9 +512,9 @@ POST _plugins/_alerting/monitors Introduced 2.0 {: .label .label-purple } -Per document monitors check whether or not individual documents in an index match trigger conditions to generate an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags. You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag. +Per document monitors check whether or not individual documents in an index match trigger conditions to generate an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. -You can define triggers based on a query name, query ID, or a tag name. The following table shows the syntax to use for each trigger option: +The following table shows the syntax to use for each trigger option: Trigger options | Definition | Syntax :--- | :--- : :--- From efe631d4e2dca0f6405194be269c508111d2d5b5 Mon Sep 17 00:00:00 2001 From: alicejw Date: Wed, 25 May 2022 16:39:13 -0700 Subject: [PATCH 09/16] typo Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 0ecdd28d..390dfe91 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -518,7 +518,7 @@ The following table shows the syntax to use for each trigger option: Trigger options | Definition | Syntax :--- | :--- : :--- -Tag | Creates alerts for documents that match a muliple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` +Tag | Creates alerts for documents that match a multiple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` Query by name | Creates alerts for documents matched or returned by the named query. | `query[name=]` Query by ID | Creates alerts for documents that were returned by the identified query. | `query[id=]` From 4756b8a40e585a5b23debb234284735c6b871f61 Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 11:04:23 -0700 Subject: [PATCH 10/16] for tech review updates Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 24 +++++++++++++----------- _monitoring-plugins/alerting/monitors.md | 4 ++-- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 390dfe91..18ab9b18 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -7,7 +7,7 @@ nav_order: 15 # Alerting API -Use the Alerting API to programmatically create, update and manage monitors and alerts. +Use the Alerting API to programmatically create, update, and manage monitors and alerts. --- @@ -22,7 +22,7 @@ Use the Alerting API to programmatically create, update and manage monitors and Introduced 1.0 {: .label .label-purple } -Per query monitors run the query and check whether the results should trigger any alerts. As such, per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). +Per query monitors run the query and check whether or not the results should trigger an alert. Per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). #### Sample Request @@ -512,7 +512,7 @@ POST _plugins/_alerting/monitors Introduced 2.0 {: .label .label-purple } -Per document monitors check whether or not individual documents in an index match trigger conditions to generate an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. +Per document monitors check whether individual documents in an index match trigger conditions. If so, the monitor generates an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. The following table shows the syntax to use for each trigger option: @@ -526,12 +526,14 @@ For more information about per document monitors, see [Monitor types]({{site.url ### Search for monitor findings -You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request to the findings resource: +You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request to the findings resource. To learn more about monitor findings, see [Document findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#document-findings). + +By default, a GET request without path parameters returns all available findings. ```json GET /_plugins/_alerting/findings/_search? ``` -The response returns all findings available. + To retrieve metadata for an individual document finding entry, you can search for the finding by its `findingId` as follows: @@ -541,22 +543,22 @@ GET /_plugins/_alerting/findings/_search?findingId=gKQhj8WJit3BxjGfiOXC The response returns the number of individual finding entries in the `total_findings` field. -To get more specific results in a findings search, you can use the path parameters defined in the following table: +To get more specific results in a findings search, you can use any of the optional path parameters that are defined in the following table: Path parameter | Description | Usage :--- | :--- : :--- `findingId` | The identifier for the finding entry. | The finding ID is returned in the initial query response. -`sortString` | This field sorts the finding. | The default value is `id`. +`sortString` | This field specifies which string the Alerting plugin uses to sort the findings. | The default value is `id`. `sortOrder` | The order to sort the list of findings, either ascending or descending. | Use `sortOrder=asc` to indicate ascending, or `sortOrder=desc` for descending sort order. -`size` | The maximum number of results to retrieve. | Can be any integer. +`size` | An optional limit for the maximum number of results returned in the response. | There is no minimum or maximum values. `startIndex` | The pagination indicator. | Default is `0`. -`searchString` | The finding attribute you want returned in the search. | You might want to search findings for a specific index, provide `searchString=indexABC'. +`searchString` | The finding attribute you want returned in the search. | To search in a specific index, specify the index name in the request path. For example, to search findings in the `indexABC` index, use `searchString=indexABC'. ### Create a per document monitor -You can create a per document monitor by calling the `monitors` resource and providing the monitor details in the body of the request. +You can create a per document monitor with a POST request that provides the monitor details in the request body. At a minimum, you need to provide the following details: specify the queries or combinations by tag with the `inputs` field, a valid trigger condition, and provide the notification message in the `action` field. #### Sample Request @@ -649,7 +651,7 @@ POST _plugins/_alerting/monitors ### Limitations -If you run a per document query while the index is getting reindexed, the results will not return the reindexed results. You would need to run the query again to get the updates. +If you run a per document query while the index is getting reindexed, the API response will not return the reindexed results. To get updates, wait until the reindexing process completes, then rerun the query. {: .tip} ## Update monitor diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index 0d459a77..d474e72f 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -32,14 +32,14 @@ Tag | A label that can be applied to multiple queries to combine them with the l Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification. Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook. -Finding | An entry for an individual document found by a per document monitor query that contains the Document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. +Finding | An entry for an individual document found by a per document monitor query that contains the document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. ## Per document monitors Introduced 2.0 {: .label .label-purple } -The per query and per bucket monitors can only take a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding a tag to the queries. Then you can add the tag as a single trigger condition instead of specifying a single query. The Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the query conditions are met, it generates the alert notification. +The per query and per bucket monitors can only run a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding a tag to the queries. Then you can add the tag as a single trigger condition instead of specifying a single query. The Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the query conditions are met, it triggers an alert. Next, the Alerting plugin tells the Notifications plugin to send the notification to a channel. The Alerting plugin also creates a list of document findings that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes. From 1d22b88e34b287f4337797cbb553f1735a66f5b7 Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 11:08:56 -0700 Subject: [PATCH 11/16] remove findings resource mention Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 18ab9b18..5fd32b8b 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -526,9 +526,10 @@ For more information about per document monitors, see [Monitor types]({{site.url ### Search for monitor findings -You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request to the findings resource. To learn more about monitor findings, see [Document findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#document-findings). +You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request. By default, a GET request without path parameters returns all available findings.. To learn more about monitor findings, see [Document findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#document-findings). -By default, a GET request without path parameters returns all available findings. + +To retrieve any available findings, send a GET request without any path parameters as follows: ```json GET /_plugins/_alerting/findings/_search? From 26fafde644e8f8f8f738a7fea3a406e874ebc2c9 Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 13:13:25 -0700 Subject: [PATCH 12/16] for API renaming throughout Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 30 ++++++++++++------------ _monitoring-plugins/alerting/monitors.md | 2 ++ 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 5fd32b8b..8f361aeb 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -18,11 +18,11 @@ Use the Alerting API to programmatically create, update, and manage monitors and --- -## Create a per query monitor +## Create a query-level monitor Introduced 1.0 {: .label .label-purple } -Per query monitors run the query and check whether or not the results should trigger an alert. Per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). +Query-level monitors run the query and check whether or not the results should trigger an alert. Query-level monitors can only trigger one alert at a time. For more information about query-level monitors and bucket-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). #### Sample Request @@ -250,15 +250,15 @@ For a full list of timezone names, refer to [Wikipedia](https://en.wikipedia.org --- -## Create a per bucket monitor +## Create a bucket-level monitor -Per bucket monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about per bucket and per query monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). +Bucket-level monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about bucket-level and query-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors). ```json POST _plugins/_alerting/monitors { "type": "monitor", - "name": "Demo per bucket monitor", + "name": "Demo bucket-level monitor", "monitor_type": "bucket_level_monitor", "enabled": true, "schedule": { @@ -379,7 +379,7 @@ POST _plugins/_alerting/monitors "monitor" : { "type" : "monitor", "schema_version" : 4, - "name" : "Demo a per bucket monitor", + "name" : "Demo a bucket-level monitor", "monitor_type" : "bucket_level_monitor", "user" : { "name" : "", @@ -508,11 +508,11 @@ POST _plugins/_alerting/monitors } } ``` -## Per document monitors +## Document-level monitors Introduced 2.0 {: .label .label-purple } -Per document monitors check whether individual documents in an index match trigger conditions. If so, the monitor generates an alert notification. When you run a query with a per document monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. +Document-level monitors check whether individual documents in an index match trigger conditions. If so, the monitor generates an alert notification. When you run a query with a document-level monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. The following table shows the syntax to use for each trigger option: @@ -522,7 +522,7 @@ Tag | Creates alerts for documents that match a multiple query with this tag app Query by name | Creates alerts for documents matched or returned by the named query. | `query[name=]` Query by ID | Creates alerts for documents that were returned by the identified query. | `query[id=]` -For more information about per document monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). +To learn more about per document monitors that function similarly to the document-level monitor API, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). ### Search for monitor findings @@ -557,21 +557,21 @@ Path parameter | Description | Usage -### Create a per document monitor +### Create a document-level monitor -You can create a per document monitor with a POST request that provides the monitor details in the request body. +You can create a document-level monitor with a POST request that provides the monitor details in the request body. At a minimum, you need to provide the following details: specify the queries or combinations by tag with the `inputs` field, a valid trigger condition, and provide the notification message in the `action` field. #### Sample Request -The following sample shows how to create a per document monitor: +The following sample shows how to create a document-level monitor: ```json POST _plugins/_alerting/monitors { "type": "monitor", "monitor_type": "doc_level_monitor", - "name": "Example per document monitor", + "name": "Example document-level monitor", "enabled": true, "schedule": { "period": { @@ -582,7 +582,7 @@ POST _plugins/_alerting/monitors "inputs": [ { "doc_level_input": { - "description": "Example per document monitor for audit logs", + "description": "Example document-level monitor for audit logs", "indices": [ "audit-logs" ], @@ -652,7 +652,7 @@ POST _plugins/_alerting/monitors ### Limitations -If you run a per document query while the index is getting reindexed, the API response will not return the reindexed results. To get updates, wait until the reindexing process completes, then rerun the query. +If you run a document-level query while the index is getting reindexed, the API response will not return the reindexed results. To get updates, wait until the reindexing process completes, then rerun the query. {: .tip} ## Update monitor diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index d474e72f..e4a1eead 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -43,6 +43,8 @@ The per query and per bucket monitors can only run a single query with one trigg The Alerting plugin also creates a list of document findings that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes. +The Alerting API provides a document-level monitor that programmatically accomplishes the same function as the per document monitor in the OpenSearch Dashboards. To learn more, see [Document-level monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#document-level-monitors). + ### Document findings When a per document monitor executes a query that matches a document in an index, a finding is created. OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. You can search the findings index with the Alerting API. To learn more, see [Search for monitor findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#search-for-monitor-findings). From 4fcbb1dc6b418f36a77c68f6912f1eaa39d4edeb Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 13:32:45 -0700 Subject: [PATCH 13/16] for additional review updates Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 2 +- _monitoring-plugins/alerting/monitors.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 8f361aeb..17976fba 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -526,7 +526,7 @@ To learn more about per document monitors that function similarly to the documen ### Search for monitor findings -You can search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request. By default, a GET request without path parameters returns all available findings.. To learn more about monitor findings, see [Document findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#document-findings). +You can use the Alerting search API operation to search the findings index `.opensearch-alerting-finding*` for available document findings with a GET request. By default, a GET request without path parameters returns all available findings. To learn more about monitor findings, see [Document findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#document-findings). To retrieve any available findings, send a GET request without any path parameters as follows: diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index e4a1eead..240a1343 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -47,7 +47,7 @@ The Alerting API provides a document-level monitor that programmatically accompl ### Document findings -When a per document monitor executes a query that matches a document in an index, a finding is created. OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. You can search the findings index with the Alerting API. To learn more, see [Search for monitor findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#search-for-monitor-findings). +When a per document monitor executes a query that matches a document in an index, a finding is created. OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. You can search the findings index with the Alerting API search operation. To learn more, see [Search for monitor findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#search-for-monitor-findings). The following metadata is provided for each document finding entry: From a1ea42892b3c3a543aff21f6fe01bf4504d7b3f8 Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 13:42:20 -0700 Subject: [PATCH 14/16] for note to refer to api section Signed-off-by: alicejw --- _monitoring-plugins/alerting/monitors.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index 240a1343..fbfa7317 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -43,7 +43,9 @@ The per query and per bucket monitors can only run a single query with one trigg The Alerting plugin also creates a list of document findings that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes. + The Alerting API provides a document-level monitor that programmatically accomplishes the same function as the per document monitor in the OpenSearch Dashboards. To learn more, see [Document-level monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#document-level-monitors). +{: .note} ### Document findings From 0489b7fb7db993b8b2478e97ebe4a12a1f4588ee Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 13:47:59 -0700 Subject: [PATCH 15/16] move tag syntax table to api proc section Signed-off-by: alicejw --- _monitoring-plugins/alerting/api.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/_monitoring-plugins/alerting/api.md b/_monitoring-plugins/alerting/api.md index 17976fba..4920cbd6 100644 --- a/_monitoring-plugins/alerting/api.md +++ b/_monitoring-plugins/alerting/api.md @@ -514,14 +514,6 @@ Introduced 2.0 Document-level monitors check whether individual documents in an index match trigger conditions. If so, the monitor generates an alert notification. When you run a query with a document-level monitor, the results are returned for each document that matches the trigger condition. You can create trigger conditions based on query names, query IDs, or tags that combine multiple queries. -The following table shows the syntax to use for each trigger option: - -Trigger options | Definition | Syntax -:--- | :--- : :--- -Tag | Creates alerts for documents that match a multiple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` -Query by name | Creates alerts for documents matched or returned by the named query. | `query[name=]` -Query by ID | Creates alerts for documents that were returned by the identified query. | `query[id=]` - To learn more about per document monitors that function similarly to the document-level monitor API, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types). ### Search for monitor findings @@ -556,12 +548,19 @@ Path parameter | Description | Usage `searchString` | The finding attribute you want returned in the search. | To search in a specific index, specify the index name in the request path. For example, to search findings in the `indexABC` index, use `searchString=indexABC'. - ### Create a document-level monitor You can create a document-level monitor with a POST request that provides the monitor details in the request body. At a minimum, you need to provide the following details: specify the queries or combinations by tag with the `inputs` field, a valid trigger condition, and provide the notification message in the `action` field. +The following table shows the syntax to use for each trigger option: + +Trigger options | Definition | Syntax +:--- | :--- : :--- +Tag | Creates alerts for documents that match a multiple query with this tag applied. If you group multiple queries by a single tag, then you can set it to trigger an alert if the results are returned by this tag name.| `query[tag=]` +Query by name | Creates alerts for documents matched or returned by the named query. | `query[name=]` +Query by ID | Creates alerts for documents that were returned by the identified query. | `query[id=]` + #### Sample Request The following sample shows how to create a document-level monitor: From 80e816914db78476404adaf166ff22b0ff616084 Mon Sep 17 00:00:00 2001 From: alicejw Date: Thu, 26 May 2022 13:53:32 -0700 Subject: [PATCH 16/16] for merge conflict resolution Signed-off-by: alicejw --- _monitoring-plugins/alerting/monitors.md | 1 + 1 file changed, 1 insertion(+) diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index fbfa7317..8d6f63b3 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -33,6 +33,7 @@ Alert | An event associated with a trigger. When an alert is created, the trigge Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook. Finding | An entry for an individual document found by a per document monitor query that contains the document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`. +Channel | A notification channel to use in an action. See [notifications]({{site.url}}{{site.baseurl}}/notifications-plugin/index) for more information. ## Per document monitors