Search Alerts tool

Introduced 2.13

The SearchAlertsTool retrieves information about generated alerts. For more information about alerts, see Alerting.

Step 1: Register a flow agent that will run the SearchAlertsTool

A flow agent runs a sequence of tools in order and returns the last tool’s output. To create a flow agent, send the following register agent request:

  1. POST /_plugins/_ml/agents/_register
  2. {
  3.   "name": "Test_Agent_For_Search_Alerts_Tool",
  4.   "type": "flow",
  5.   "description": "this is a test agent for the SearchAlertsTool",
  6.   "memory": {
  7.     "type": "demo"
  8.   },
  9.   "tools": [
  10.       {
  11.       "type": "SearchAlertsTool",
  12.       "name": "DemoSearchAlertsTool",
  13.       "parameters": {}
  14.     }
  15.   ]
  16. }

copy

For parameter descriptions, see Register parameters.

OpenSearch responds with an agent ID:

  1. {
  2.   "agent_id": "EuJYYo0B9RaBCvhuy1q8"
  3. }

Step 2: Run the agent

Run the agent by sending the following request:

  1. POST /_plugins/_ml/agents/EuJYYo0B9RaBCvhuy1q8/_execute
  2. {
  3.   "parameters": {
  4.     "question": "Do I have any alerts?"
  5.   }
  6. }

copy

OpenSearch responds with a list of generated alerts and the total number of alerts:

  1. {
  2.   "inference_results": [
  3.     {
  4.       "output": [
  5.         {
  6.           "name": "response",
  7.           "result": "Alerts=[Alert(id=rv9nYo0Bk4MTqirc_DkW, version=394, schemaVersion=5, monitorId=ZuJnYo0B9RaBCvhuEVux, workflowId=, workflowName=, monitorName=test-monitor-2, monitorVersion=1, monitorUser=User[name=admin, backend_roles=[admin], roles=[own_index, all_access], custom_attribute_names=[], user_requested_tenant=null], triggerId=ZeJnYo0B9RaBCvhuEVul, triggerName=t-1, findingIds=[], relatedDocIds=[], state=ACTIVE, startTime=2024-02-01T02:03:18.420Z, endTime=null, lastNotificationTime=2024-02-01T08:36:18.409Z, acknowledgedTime=null, errorMessage=null, errorHistory=[], severity=1, actionExecutionResults=[], aggregationResultBucket=null, executionId=ZuJnYo0B9RaBCvhuEVux_2024-02-01T02:03:18.404853331_51c18f2c-5923-47c3-b476-0f5a66c6319b, associatedAlertIds=[])]TotalAlerts=1"
  8.         }
  9.       ]
  10.     }
  11.   ]
  12. }

If no alerts are found, OpenSearch responds with an empty array in the results:

  1. {
  2.   "inference_results": [
  3.     {
  4.       "output": [
  5.         {
  6.           "name": "response",
  7.           "result": "Alerts=[]TotalAlerts=0"
  8.         }
  9.       ]
  10.     }
  11.   ]
  12. }

Register parameters

The following table lists all tool parameters that are available when registering an agent. All parameters are optional.

ParameterTypeDescription
alertIdsArrayThe ID of the alert to search for.
monitorIdStringThe name of the monitor by which to filter the alerts.
workflowIdsArrayA list of workflow IDs by which to filter the alerts.
alertStateStringThe alert state by which to filter the alerts. Valid values are ALL, ACTIVE, ERROR, COMPLETED, and ACKNOWLEDGED. Default is ALL.
severityLevelStringThe severity level by which to filter the alerts. Valid values are ALL, 1, 2, and 3. Default is ALL.
searchStringStringThe search string to use for searching for a specific alert.
sortOrderStringThe sort order of the results. Valid values are asc (ascending) and desc (descending). Default is asc.
sortStringStringSpecifies the monitor field by which to sort the results. Default is monitor_name.keyword.
sizeIntegerThe number of results to return. Default is 20.
startIndexIntegerThe paginated index of the alert to start from. Default is 0.

Execute parameters

The following table lists all tool parameters that are available when running the agent.

ParameterTypeRequired/OptionalDescription
questionStringRequiredThe natural language question to send to the LLM.