Management

Alerting indexes

The alerting feature creates several indexes and one alias. The Security plugin demo script configures them as system indexes for an extra layer of protection. Don’t delete these indexes or modify their contents without using the alerting APIs.

IndexPurpose
.opendistro-alerting-alertsStores ongoing alerts.
.opendistro-alerting-alert-history-<date>Stores a history of completed alerts.
.opendistro-alerting-configStores monitors, triggers, and destinations. Take a snapshot of this index to back up your alerting configuration.
.opendistro-alerting-alert-history-write (alias)Provides a consistent URI for the .opendistro-alerting-alert-history-<date> index.

All alerting indexes are hidden by default. For a summary, make the following request:

  1. GET _cat/indices?expand_wildcards=open,hidden

Alerting settings

We don’t recommend changing these settings; the defaults should work well for most use cases.

All settings are available using the OpenSearch _cluster/settings API. None require a restart, and all can be marked persistent or transient. To learn more about static and dynamic settings, see Configuring OpenSearch.

SettingDefaultDescription
plugins.scheduled_jobs.enabledtrueWhether the alerting plugin is enabled or not. If disabled, all monitors immediately stop running.
plugins.alerting.index_timeout60sThe timeout for creating monitors and destinations using the REST APIs.
plugins.alerting.request_timeout10sThe timeout for miscellaneous requests from the plugin.
plugins.alerting.action_throttle_max_value24hThe maximum amount of time you can set for action throttling. By default, this value displays as 1440 minutes in OpenSearch Dashboards.
plugins.alerting.input_timeout30sHow long the monitor can take to issue the search request.
plugins.alerting.bulk_timeout120sHow long the monitor can write alerts to the alert index.
plugins.alerting.alert_backoff_count3The number of retries for writing alerts before the operation fails.
plugins.alerting.alert_backoff_millis50msThe amount of time to wait between retries—increases exponentially after each failed retry.
plugins.alerting.alert_history_rollover_period12hHow frequently to check whether the .opendistro-alerting-alert-history-write alias should roll over to a new history index and whether the Alerting plugin should delete any history indexes.
plugins.alerting.move_alerts_backoff_millis250The amount of time to wait between retries—increases exponentially after each failed retry.
plugins.alerting.move_alerts_backoff_count3The number of retries for moving alerts to a deleted state after their monitor or trigger has been deleted.
plugins.alerting.monitor.max_monitors1000The maximum number of monitors users can create.
plugins.alerting.alert_history_max_age30dThe oldest document to store in the .opendistro-alert-history-<date> index before creating a new index. If the number of alerts in this time period does not exceed alert_history_max_docs, alerting creates one history index per period (e.g. one index every 30 days).
plugins.alerting.alert_history_max_docs1000The maximum number of alerts to store in the .opendistro-alert-history-<date> index before creating a new index.
plugins.alerting.alert_history_enabledtrueWhether to create .opendistro-alerting-alert-history-<date> indexes.
plugins.alerting.alert_history_retention_period60dThe amount of time to store history indexes before automatically deleting them.
plugins.alerting.destination.allow_list[“chime”, “slack”, “custom_webhook”, “email”, “test_action”]The list of allowed destinations. If you don’t want to allow users to a certain type of destination, you can remove it from this list, but we recommend leaving this setting as-is.
plugins.alerting.filter_by_backend_roles“false”Restricts access to monitors by backend role. See Alerting security.
plugins.alerting.cross_cluster_monitoring_enabled“false”Toggles whether cluster metrics monitors support running against remote clusters.
plugins.scheduled_jobs.sweeper.period5mThe alerting feature uses its “job sweeper” component to periodically check for new or updated jobs. This setting is the rate at which the sweeper checks to see if any jobs (monitors) have changed and need to be rescheduled.
plugins.scheduled_jobs.sweeper.page_size100The page size for the sweeper. You shouldn’t need to change this value.
plugins.scheduled_jobs.sweeper.backoff_millis50msThe amount of time the sweeper waits between retries—increases exponentially after each failed retry.
plugins.scheduled_jobs.sweeper.retry_count3The total number of times the sweeper should retry before throwing an error.
plugins.scheduled_jobs.request_timeout10sThe timeout for the request that sweeps shards for jobs.
plugins.alerting.comments_enabledfalseEnables or disables comments for the Alerting plugin.
plugins.alerting.comments_history_max_docs1000The maximum number of comments to store in the .opensearch-alerting-comments-history-<date> index before creating a new index.
plugins.alerting.comments_history_max_age30dThe oldest document to store in an .opensearch-alerting-comments-history-<date> index before creating a new one. If the number of comments in the specified time period does not exceed comments_history_max_docs, then 1 index is created per period (for example, 1 every 30 days).
plugins.alerting.comments_history_rollover_period12hHow often to determine whether the .opensearch-alerting-comments-history-write alias should roll over to a new index and delete old comment history indexes.
plugins.alerting.comments_history_retention_period60dThe amount of time to keep comment history indexes before automatic deletion.
plugins.alerting.max_comment_character_length2000The maximum character length of a comment.
plugins.alerting.max_comments_per_alert500The maximum number of comments that can be posted on an alert.
plugins.alerting.max_comments_per_notification3The maximum number of comments per alert to include in the ctx Mustache template variable for alert notifications.