mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 09:19:04 -04:00
Update geo alerting docs to just cover geo containment (#90480)
This commit is contained in:
Aaron Caldwell
GitHub
parent
ea96eeccb4
commit
5176aa6bc7
2 changed files with 7 additions and 60 deletions
|
|
@ -1,19 +1,16 @@
|
|||
[role="xpack"]
|
||||
[[geo-alert-types]]
|
||||
== Geo alert types
|
||||
[[geo-alerting]]
|
||||
== Geo alerting
|
||||
|
||||
Two additional stack alerts are available:
|
||||
<<alert-type-tracking-threshold>> and <<alert-type-tracking-containment>>.
|
||||
Alerting now includes one additional stack alert: <<alert-type-tracking-containment>>.
|
||||
|
||||
As with other stack alerts, you need `all` access to the *Stack Alerts* feature
|
||||
to be able to create and edit either of the geo alerts.
|
||||
to be able to create and edit a geo alert.
|
||||
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to this feature.
|
||||
|
||||
[float]
|
||||
=== Geo alert requirements
|
||||
|
||||
To create either a *Tracking threshold* or a *Tracking containment* alert, the
|
||||
following requirements must be present:
|
||||
=== Geo alerting requirements
|
||||
To create a *Tracking containment* alert, the following requirements must be present:
|
||||
|
||||
- *Tracks index or index pattern*: An index containing a `geo_point` field, `date` field,
|
||||
and some form of entity identifier. An entity identifier is a `keyword` or `number`
|
||||
|
|
@ -33,62 +30,12 @@ than the current time minus the amount of the interval. If data older than
|
|||
|
||||
[float]
|
||||
=== Creating a geo alert
|
||||
Both *threshold* and *containment* alerts can be created by clicking the *Create*
|
||||
button in the <<alert-management, alert management UI>>.
|
||||
Click the *Create* button in the <<alert-management, alert management UI>>.
|
||||
Complete the <<defining-alerts-general-details, general alert details>>.
|
||||
Select <<alert-type-tracking-threshold>> to generate an alert when an entity crosses a boundary, and you desire the
|
||||
ability to highlight lines of crossing on a custom map.
|
||||
Select
|
||||
<<alert-type-tracking-containment>> if an entity should send out constant alerts
|
||||
while contained within a boundary (this feature is optional) or if the alert is generally
|
||||
just more focused around activity when an entity exists within a shape.
|
||||
|
||||
[role="screenshot"]
|
||||
image::images/alert-types-tracking-select.png[Choosing a tracking alert type]
|
||||
|
||||
[NOTE]
|
||||
==================================================
|
||||
With recent advances in the alerting framework, most of the features
|
||||
available in Tracking threshold alerts can be replicated with just
|
||||
a little more work in Tracking containment alerts. The capabilities of Tracking
|
||||
threshold alerts may be deprecated or folded into Tracking containment alerts
|
||||
in the future.
|
||||
==================================================
|
||||
|
||||
[float]
|
||||
[[alert-type-tracking-threshold]]
|
||||
=== Tracking threshold
|
||||
The Tracking threshold alert type runs an {es} query over indices, comparing the latest
|
||||
entity locations with their previous locations. In the event that an entity has crossed a
|
||||
boundary from the selected boundary index, an alert may be generated.
|
||||
|
||||
[float]
|
||||
==== Defining the conditions
|
||||
Tracking threshold has a *Delayed evaluation offset* and 4 clauses that define the
|
||||
condition to detect, as well as 2 Kuery bars used to provide additional filtering
|
||||
context for each of the indices.
|
||||
|
||||
[role="screenshot"]
|
||||
image::images/alert-types-tracking-threshold-conditions.png[Five clauses define the condition to detect]
|
||||
|
||||
|
||||
Delayed evaluation offset:: If a data source lags or is intermittent, you may supply
|
||||
an optional value to evaluate alert conditions following a fixed delay. For instance, if data
|
||||
is consistently indexed 5-10 minutes following its original timestamp, a *Delayed evaluation
|
||||
offset* of `10 minutes` would ensure that alertable instances are still captured.
|
||||
Index (entity):: This clause requires an *index or index pattern*, a *time field* that will be used for the *time window*, and a *`geo_point` field* for tracking.
|
||||
By:: This clause specifies the field to use in the previously provided
|
||||
*index or index pattern* for tracking Entities. An entity is a `keyword`
|
||||
or `number` field that consistently identifies the entity to be tracked.
|
||||
When entity:: This clause specifies which crossing option to track. The values
|
||||
*Entered*, *Exited*, and *Crossed* can be selected to indicate which crossing conditions
|
||||
should trigger an alert. *Entered* alerts on entry into a boundary, *Exited* alerts on exit
|
||||
from a boundary, and *Crossed* alerts on all boundary crossings whether they be entrances
|
||||
or exits.
|
||||
Index (Boundary):: This clause requires an *index or index pattern*, a *`geo_shape` field*
|
||||
identifying boundaries, and an optional *Human-readable boundary name* for better alerting
|
||||
messages.
|
||||
|
||||
[float]
|
||||
[[alert-type-tracking-containment]]
|
||||
=== Tracking containment
|
||||
|
|
|
|||
Binary file not shown.
|
Before Width: | Height: | Size: 37 KiB After Width: | Height: | Size: 29 KiB |
Loading…
Add table
Add a link
Reference in a new issue