You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit

Generate anomaly detection alerts

Generate alerts when anomalies match specific conditions.

Required role

The Editor role or higher is required to create anomaly detection rules. To learn more, refer to Assign user roles and privileges.

Anomaly detection alerting is in beta

The Anomaly detection alerting functionality is in beta and is subject to change. The design and code is less mature than official generally available features and is being provided as-is with no warranties.

Use the alerting feature in Elastic Observability to set up rules that check for anomalies in one or more anomaly detection jobs. If the conditions of the rule are met, an alert is created, and any actions specified in the rule are triggered. For example, you can create a rule to check every fifteen minutes for critical anomalies and then alert you by email when they are detected.

The alerting feature supports a wide range of actions that enable you to send alerts to:

  • Email
  • Jira
  • Slack
  • ServiceNow
  • PagerDuty
  • Many other third-party tools and systems

Create an anomaly detection alert rule

  1. In your Observability project, go to AIOpsAnomaly detection.

  2. In the list of anomaly detection jobs, find the job you want to check for anomalies. Haven't created a job yet? Create one now.

  3. From the Actions menu next to the job, select Create alert rule.

  4. Specify a name and optional tags for the rule. You can use these tags later to filter alerts.

  5. Verify that the correct job is selected and configure the alert details:

  6. For the result type:

    Choose...To generate an alert based on...
    How unusual the anomaly was within the bucket of time
    What individual anomalies are present in a time range
    The most unusual entities in a time range
  7. Adjust the Severity to match the anomaly score that will trigger the action. The anomaly score indicates the significance of a given anomaly compared to previous anomalies. The default severity threshold is 75, which means every anomaly with an anomaly score of 75 or higher will trigger the associated action.

  8. (Optional) Turn on Include interim results to include results that are created by the anomaly detection job before a bucket is finalized. These results might disappear after the bucket is fully processed. Include interim results if you want to be notified earlier about a potential anomaly even if it might be a false positive.

  9. (Optional) Expand and change Advanced settings:

    Lookback interval
    The interval used to query previous anomalies during each condition check. Setting the lookback interval lower than the default value might result in missed anomalies.
    Number of latest buckets
    The number of buckets to check to obtain the highest anomaly from all the anomalies that are found during the Lookback interval. An alert is created based on the anomaly with the highest anomaly score from the most anomalous bucket.
  10. (Optional) Under Check the rule condition with an interval, specify an interval, then click Test to check the rule condition with the interval specified. The button is grayed out if the datafeed is not started. To test the rule, start the data feed.

  11. (Optional) If you want to change how often the condition is evaluated, adjust the Change every setting.

  12. (Optional) If you want the alert to trigger an action, define actions.

Define actions

Add one or more actions to your rule to generate notifications when the rule's conditions are met and when they are no longer met.

Each action uses a connector. The connector stores connection information for the service or supported third-party integration where you want to send the notifications. For example, you can use a Slack connector to send a message to a channel. Or you can use an index connector that writes an JSON object to a specific index.

You must set the action frequency, which involves choosing how often to run the action (for example, at each check interval, only when the alert status changes, or at a custom action interval). Each rule type also has a list of valid action groups and you must choose one of these groups (for example, the action runs when the issue is detected or when it is recovered).

  1. In the Actions section of the Create rule flyout, select a connector type.
  2. Select an existing connector, or click Create a connector to create a new one and configure the connector. Each connector has different settings. For details about configuring a specific type of connector, refer to the Connectors documentation. Note that the connectors documentation may contain details that are not valid when using a fully-managed Elastic project.
  3. In the Action frequency list, choose how often the action runs (on status changes, on check intervals, or on custom action intervals).
  4. In the Run when list, choose when you want the action to run (for example, when the anomaly score matched the condition or was recovered).
  5. (Optional) Customize the notification messages for each action by using action variables in the message. For a list of available action variables, refer to Action variables. Note that the actions documentation may contain details that are not valid when using a fully-managed Elastic project.
  6. Save the rule.


Anomaly detection alert rules are defined as part of a job. Alerts generated by these rules do not appear on the Alerts page.

Edit an anomaly detection alert rule

To edit an anomaly detection rule:

  1. In your Observability project, go to AIOpsAnomaly detection.
  2. Expand the job that uses the rule you want to edit.
  3. On the Job settings tab, under Alert rules, click the rule to edit it.

On this page