elasticsearch/docs/reference/ml/anomaly-detection/ml-configuring-alerts.asciidoc

[role="xpack"]
[[ml-configuring-alerts]]
= Configuring {anomaly-detect} alerts

beta::[]

{anomaly-detect-cap} alerts run scheduled checks on an {anomaly-job} or a group 
of jobs to detect anomalies with certain conditions. If an anomaly meets the 
conditions, the alert triggers the defined action. For example, you can create 
an alert that checks an {anomaly-job} every fifteen minutes for critical 
anomalies and notifies you in an email. This page helps you to configure an 
{anomaly-detect} alert. To learn more about alerts in the {stack}, refer to 
{kibana-ref}/alerting-getting-started.html#alerting-getting-started[Alerting and Actions].


[[creating-anomaly-alerts]]
== Creating an alert

You can create {anomaly-detect} alerts in the {anomaly-job} wizard after you 
start the job, from the job list, or under **{stack-manage-app} > {alerts-ui}**. 
On the *Create alert* window, select *{anomaly-detect-cap} alert* under the 
{ml-cap} section, then give a name to the alert and optionally provide tags.

Specify the time interval for the alert to check detected anomalies. It is 
recommended to select an interval that is close to the bucket span of the 
associated job. You can also select a notification option by using the _Notify_ 
selector. An alert instance remains active as long as anomalies are found for a 
particular {anomaly-job} during the check interval. When there is no anomaly 
found in the next interval, the `Recovered` action group is invoked and the 
status of the alert instance changes to `OK`. For more details, refer to the 
documentation of 
{kibana-ref}/defining-alerts.html#defining-alerts-general-details[general alert details].
  
[role="screenshot"]
image::images/ml-anomaly-alert-type.jpg["Creating an anomaly detection alert"]
  
Select the {anomaly-job} or the group of {anomaly-jobs} that is checked by the 
alert. If you assign additional jobs to the group, the alert automatically 
checks the new jobs the next time when the alert runs.

You can select the result type of the {anomaly-job} that triggers the alert. 
In particular, you can create alerts based on bucket, record, or influencer 
results.

[role="screenshot"]
image::images/ml-anomaly-alert-severity.jpg["Selecting result type, severity, and test interval"]

For each alert, you can configure the `anomaly_score` that triggers it. The 
`anomaly_score` indicates the significance of a given anomaly compared to 
previous anomalies. The default severity threshold is 75 which means every 
anomaly with an `anomaly_score` of 75 or higher triggers the alert.

You can select whether you want the alert to include interim results. Interim 
results are created by the {anomaly-job} before a bucket is finalized. These 
results might disappear after the bucket is fully processed. Include 
interim results if you want to be notified earlier about a potential anomaly 
even if it might be a false positive. If you want to get notified 
only about anomalies of fully processed buckets, do not include interim results.

You can also test the configured conditions against your existing data and check 
the sample results by providing a valid interval for your data. The generated 
preview contains the number of potentially created alert instances during the 
relative time range you defined.


[[defining-actions]]
== Defining actions

As a next step, connect your alert to actions that use supported built-in 
integrations. Actions are {kib} services or third-party integrations that run 
when the alert conditions are met.

[role="screenshot"]
image::images/ml-anomaly-alert-actions.jpg["Selecting action type"]

For example, you can choose _Slack_ as an action type and configure it to send a 
message to a channel you selected. You can also create an index connector that 
writes the JSON object you configure to a specific index. It's also possible to 
customize the notification messages. A list of variables is available to include 
in the message, like job ID, anomaly score, time, or top influencers.

[role="screenshot"]
image::images/ml-anomaly-alert-messages.jpg["Customizing your message"]

After you save the configurations, the alert appears in the *{alerts-ui}* list 
where you can check its status and see the overview of its configuration 
information.

The name of an alert instance is always the same as the job ID of the associated 
{anomaly-job} that triggered the alert. You can mute the notifications for a 
particular {anomaly-job} on the page of the alert that lists the individual 
alert instances. You can open it via *{alerts-ui}* by selecting the alert name.