How to create a Kibana alert rule

Creating a Kibana alert rule turns Elasticsearch data into automated detection for conditions like elevated error rates, missing heartbeats, or sudden traffic spikes, enabling faster response when signals change.

The Kibana alerting framework runs rule executors on a schedule in the Kibana server, evaluating a chosen rule type (rule_type_id) with the provided parameters and producing alert instances that can trigger configured actions.

API-based rule creation requires authenticated access, sufficient Kibana privileges for the selected rule type and consumer, and the necessary Elasticsearch index privileges to query the referenced data; requests should be sent over HTTPS and space-aware API paths must be used when working outside the default space.

Steps to create a Kibana alert rule:

Set Kibana connection variables for API requests.
```
$ export KIBANA_URL="http://localhost:5601"
$ export KIBANA_API_BASE="$KIBANA_URL/api"
$ export KIBANA_AUTH="elastic:password"
```
For a non-default space, set KIBANA_API_BASE to $KIBANA_URL/s/<space_id>/api.

Use HTTPS for real credentials and avoid leaving passwords in shell history.

List available rule types to confirm the desired rule_type_id is present.

$ curl --silent --show-error --fail \
  --user "$KIBANA_AUTH" \
  --header "kbn-xsrf: true" \
  "$KIBANA_API_BASE/alerting/rule_types"
[
  {
    "id": ".index-threshold",
    "name": "Index threshold",
    "action_groups": [
      { "id": "threshold met", "name": "Threshold met" },
      { "id": "recovered", "name": "Recovered" }
    ]
  }
##### snipped #####
]

Create an index threshold rule that counts matching documents in logs-* over the last 5 minutes.

$ curl --silent --show-error --fail \
  --user "$KIBANA_AUTH" \
  --header "kbn-xsrf: true" \
  --header "Content-Type: application/json" \
  --request POST \
  "$KIBANA_API_BASE/alerting/rule" \
  --data @- <<'JSON'
{
  "name": "High error rate",
  "rule_type_id": ".index-threshold",
  "consumer": "alerts",
  "params": {
    "index": ["logs-*"],
    "timeField": "@timestamp",
    "aggType": "count",
    "termSize": 5,
    "thresholdComparator": ">",
    "threshold": [100],
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "groupBy": "all"
  },
  "schedule": { "interval": "1m" },
  "actions": [],
  "tags": ["draft"]
}
JSON
{
  "id": "2f1a6c20-7b50-11ee-9c5f-9b2a1d4d1c2a",
  "name": "High error rate",
  "enabled": true,
  "rule_type_id": ".index-threshold"
}

An empty actions array creates the rule without notifications.

The kbn-xsrf header is required for state-changing Kibana API calls.

Save the returned rule id for subsequent API calls.

$ export RULE_ID="2f1a6c20-7b50-11ee-9c5f-9b2a1d4d1c2a"

Fetch the rule details to confirm it is enabled with an ok execution status.

$ curl --silent --show-error --fail \
  --user "$KIBANA_AUTH" \
  --header "kbn-xsrf: true" \
  "$KIBANA_API_BASE/alerting/rule/$RULE_ID"
{
  "id": "2f1a6c20-7b50-11ee-9c5f-9b2a1d4d1c2a",
  "name": "High error rate",
  "enabled": true,
  "schedule": { "interval": "1m" },
  "execution_status": {
    "status": "ok",
    "last_execution_date": "2026-01-05T12:34:00.000Z"
  }
##### snipped #####
}

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.