Easy & Flexible Alerting With Elasticsearch

Looking for Technical  support on Elastalert?

ElastAlert is a simple framework for alerting

Alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

ElastAlert works with all versions of Elasticsearch.

Yelp, use Elasticsearch, Logstash and Kibana for managing ever increasing amounts of data and logs. Kibana is great for visualizing and querying data, but Yelp quickly realized that it needed a companion tool for alerting on inconsistencies in our data. Out of this need, ElastAlert was created.

If you have data being written into Elasticsearch in near real time and want to be alerted when that data matches certain patterns, ElastAlert is the tool for you. If you can see it in Kibana, ElastAlert can alert on it.


Yelp designed ElastAlert to be reliable, highly modular, and easy to set up and configure.

It works by combining Elasticsearch with two types of components, rule types and alerts. Elasticsearch is periodically queried and the data is passed to the rule type, which determines when a match is found. When a match occurs, it is given to one or more alerts, which take action based on the match.

This is configured by a set of rules, each of which defines a query, a rule type, and a set of alerts.

Several rule types included

Common monitoring paradigms are included with ElastAlert

  • “Match where there are X events in Y time” (frequency type)
  • “Match when the rate of events increases or decreases” (spike type)
  • “Match when there are less than X events in Y time” (flatline type)
  • “Match when a certain field matches a blacklist/whitelist” (blacklist and whitelist type)
  • “Match on any event matching a given filter” (any type)
  • “Match when a field has two different values within some time” (change type)
  • “Match when a never before seen term appears in a field” (new_term type)
  • “Match when the number of unique values for a field is above or below a threshold (cardinality type)

Yelp have support built in for

  • Email
  • JIRA
  • OpsGenie
  • Commands
  • HipChat
  • MS Teams
  • Slack
  • Telegram
  • VictorOps
  • PagerDuty
  • Exotel
  • Twilio
  • Gitter

Additional rule types and alerts can be easily imported or written

In addition to this basic usage, there are many other features that make alerts more useful:

  • Alerts link to Kibana dashboards
  • Aggregate counts for arbitrary fields
  • Combine alerts into periodic reports
  • Separate alerts by using a unique key field
  • Intercept and enhance match data

For more details visit https://github.com/Yelp/elastalert

If you’re interested in Elasticsearch Support or have additional questions, get in touch with us!

2 + 11 =


Corporate Head Quarters

2205 152nd Avenue NE
Redmond, WA 98052

+1 (425) 605 1289

Latin America

(Mexico, Colombia & Chile)

Mexico City

Córdoba 42 Int. 807, Roma Norte, Cuauhtémoc, 06700, Mexico City

+52 (55) 5255 1329

United Kingdom


85 Great Portland Street, First Floor, London, W1W 7LT

+44 2030 971584



The Landing Space, The Embankment, Rockwood Parade, Sligo.

+353 71 915 9710

Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries. OpenSearch is licensed under Apache 2.0. All other trademark holders rights are reserved.