Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update geo alerting docs to just cover geo containment #90480

Merged
merged 2 commits into from
Feb 8, 2021
Merged

Update geo alerting docs to just cover geo containment #90480

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0183d96
Remove geo threshold refs and sections. Revise wording
Feb 5, 2021
23e1c06
Update geo alert selection image
Feb 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 7 additions & 60 deletions docs/user/alerting/geo-alert-types.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
[role="xpack"]
[[geo-alert-types]]
== Geo alert types
[[geo-alerting]]
== Geo alerting

Two additional stack alerts are available:
<<alert-type-tracking-threshold>> and <<alert-type-tracking-containment>>.
Alerting now includes one additional stack alert: <<alert-type-tracking-containment>>.

As with other stack alerts, you need `all` access to the *Stack Alerts* feature
to be able to create and edit either of the geo alerts.
to be able to create and edit a geo alert.
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to this feature.

[float]
=== Geo alert requirements

To create either a *Tracking threshold* or a *Tracking containment* alert, the
following requirements must be present:
=== Geo alerting requirements
To create a *Tracking containment* alert, the following requirements must be present:

- *Tracks index or index pattern*: An index containing a `geo_point` field, `date` field,
and some form of entity identifier. An entity identifier is a `keyword` or `number`
Expand All @@ -33,62 +30,12 @@ than the current time minus the amount of the interval. If data older than

[float]
=== Creating a geo alert
Both *threshold* and *containment* alerts can be created by clicking the *Create*
button in the <<alert-management, alert management UI>>.
Click the *Create* button in the <<alert-management, alert management UI>>.
Complete the <<defining-alerts-general-details, general alert details>>.
Select <<alert-type-tracking-threshold>> to generate an alert when an entity crosses a boundary, and you desire the
ability to highlight lines of crossing on a custom map.
Select
<<alert-type-tracking-containment>> if an entity should send out constant alerts
while contained within a boundary (this feature is optional) or if the alert is generally
just more focused around activity when an entity exists within a shape.

[role="screenshot"]
image::images/alert-types-tracking-select.png[Choosing a tracking alert type]

[NOTE]
==================================================
With recent advances in the alerting framework, most of the features
available in Tracking threshold alerts can be replicated with just
a little more work in Tracking containment alerts. The capabilities of Tracking
threshold alerts may be deprecated or folded into Tracking containment alerts
in the future.
==================================================

[float]
[[alert-type-tracking-threshold]]
=== Tracking threshold
The Tracking threshold alert type runs an {es} query over indices, comparing the latest
entity locations with their previous locations. In the event that an entity has crossed a
boundary from the selected boundary index, an alert may be generated.

[float]
==== Defining the conditions
Tracking threshold has a *Delayed evaluation offset* and 4 clauses that define the
condition to detect, as well as 2 Kuery bars used to provide additional filtering
context for each of the indices.

[role="screenshot"]
image::images/alert-types-tracking-threshold-conditions.png[Five clauses define the condition to detect]


Delayed evaluation offset:: If a data source lags or is intermittent, you may supply
an optional value to evaluate alert conditions following a fixed delay. For instance, if data
is consistently indexed 5-10 minutes following its original timestamp, a *Delayed evaluation
offset* of `10 minutes` would ensure that alertable instances are still captured.
Index (entity):: This clause requires an *index or index pattern*, a *time field* that will be used for the *time window*, and a *`geo_point` field* for tracking.
By:: This clause specifies the field to use in the previously provided
*index or index pattern* for tracking Entities. An entity is a `keyword`
or `number` field that consistently identifies the entity to be tracked.
When entity:: This clause specifies which crossing option to track. The values
*Entered*, *Exited*, and *Crossed* can be selected to indicate which crossing conditions
should trigger an alert. *Entered* alerts on entry into a boundary, *Exited* alerts on exit
from a boundary, and *Crossed* alerts on all boundary crossings whether they be entrances
or exits.
Index (Boundary):: This clause requires an *index or index pattern*, a *`geo_shape` field*
identifying boundaries, and an optional *Human-readable boundary name* for better alerting
messages.

[float]
[[alert-type-tracking-containment]]
=== Tracking containment
Expand Down
Binary file modified docs/user/alerting/images/alert-types-tracking-select.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.