elastic · florent-leborgne · Mar 21, 2025 · Mar 20, 2025 · Mar 21, 2025
@@ -28,7 +28,7 @@ For example, when monitoring a set of servers, a rule might:
 
 Each project type supports a specific set of rule types. Each *rule type* provides its own way of defining the conditions to detect, but an expression formed by a series of clauses is a common pattern. For example, in an {{es}} query rule, you specify an index, a query, and a threshold, which uses a metric aggregation operation (`count`, `average`, `max`, `min`, or `sum`):
 
-:::{image} ../../images/serverless-es-query-rule-conditions.png
+:::{image} /explore-analyze/images/serverless-es-query-rule-conditions.png
 :alt: UI for defining rule conditions in an {{es}} query rule
 :screenshot:
 :::
@@ -56,14 +56,14 @@ Each action uses a connector, which provides connection information for a {{kib}
 
 After you select a connector, set the *action frequency*. If you want to reduce the number of notifications you receive without affecting their timeliness, some rule types support alert summaries. For example, if you create an {{es}} query rule, you can set the action frequency such that you receive summaries of the new, ongoing, and recovered alerts on a custom interval:
 
-:::{image} ../../images/serverless-es-query-rule-action-summary.png
+:::{image} /explore-analyze/images/serverless-es-query-rule-action-summary.png
 :alt: UI for defining rule conditions in an {{es}} query rule
 :screenshot:
 :::
 
 Alternatively, you can set the action frequency such that the action runs for each alert. If the rule type does not support alert summaries, this is your only available option. You must choose when the action runs (for example, at each check interval, only when the alert status changes, or at a custom action interval). You must also choose an action group, which affects whether the action runs. Each rule type has a specific set of valid action groups. For example, you can set *Run when* to `Query matched` or `Recovered` for the {{es}} query rule:
 
-:::{image} ../../images/serverless-es-query-rule-recovery-action.png
+:::{image} /explore-analyze/images/serverless-es-query-rule-recovery-action.png
 :alt: UI for defining a recovery action
 :screenshot:
 :::
@@ -93,7 +93,7 @@ To get notified only once when a server exceeds the threshold, you can set the a
 
 You can pass rule values to an action at the time a condition is detected. To view the list of variables available for your rule, click the "add rule variable" button:
 
-:::{image} ../../images/serverless-es-query-rule-action-variables.png
+:::{image} /explore-analyze/images/serverless-es-query-rule-action-variables.png
 :alt: Passing rule values to an action
 :screenshot:
 :::
@@ -110,7 +110,7 @@ Using the server monitoring example, each server with average CPU > 0.9 is track
 
 A rule consists of conditions, actions, and a schedule. When conditions are met, alerts are created that render actions and invoke them. To make action setup and update easier, actions use connectors that centralize the information used to connect with {{kib}} services and third-party integrations. The following example ties these concepts together:
 
-:::{image} ../../images/serverless-rule-concepts-summary.svg
+:::{image} /explore-analyze/images/serverless-rule-concepts-summary.svg
 :alt: Rules
 :screenshot:
 :::

@@ -71,7 +71,7 @@ By default, rules have a `5m` timeout. Rules that run longer than this timeout a
 
 and in the [details page](create-manage-rules.md#rule-details):
 
-:::{image} ../../../images/kibana-rule-details-timeout-error.png
+:::{image} /explore-analyze/images/kibana-rule-details-timeout-error.png
 :alt: Rule details page with timeout error
 :screenshot:
 :::

@@ -9,7 +9,7 @@ navigation_title: Getting started with alerts
 
 Alerting enables you to define *rules*, which detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. Alerting is integrated with [**{{observability}}**](../../../solutions/observability/incident-management/alerting.md), [**Security**](security-docs://reference/prebuilt-rules/index.md), [**Maps**](../../../explore-analyze/alerts-cases/alerts/geo-alerting.md) and [**{{ml-app}}**](../../../explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md). It can be centrally managed from **{{stack-manage-app}}** and provides a set of built-in [connectors](../../../deploy-manage/manage-connectors.md) and [rules](../../../explore-analyze/alerts-cases/alerts/rule-types.md#stack-rules) for you to use.
 
-:::{image} ../../../images/kibana-alerting-overview.png
+:::{image} /explore-analyze/images/kibana-alerting-overview.png
 :alt: {{rules-ui}} UI
 :::
 
@@ -36,7 +36,7 @@ For example, when monitoring a set of servers, a rule might:
 * Check every minute (schedule).
 * Send a warning email message via SMTP with subject `CPU on {{server}} is high` (action).
 
-:::{image} ../../../images/kibana-what-is-a-rule.svg
+:::{image} /explore-analyze/images/kibana-what-is-a-rule.svg
 :alt: Three components of a rule
 :::
 
@@ -89,15 +89,15 @@ When checking for a condition, a rule might identify multiple occurrences of the
 
 Using the server monitoring example, each server with average CPU > 0.9 is tracked as an alert. This means a separate email is sent for each server that exceeds the threshold whenever the alert status changes.
 
-:::{image} ../../../images/kibana-alerts.svg
+:::{image} /explore-analyze/images/kibana-alerts.svg
 :alt: {{kib}} tracks each detected condition as an alert and takes action on each alert
 :::
 
 ## Putting it all together [_putting_it_all_together]
 
 A rule consists of conditions, actions, and a schedule. When conditions are met, alerts are created that render actions and invoke them. To make action setup and update easier, actions use connectors that centralize the information used to connect with {{kib}} services and third-party integrations. The following example ties these concepts together:
 
-:::{image} ../../../images/kibana-rule-concepts-summary.svg
+:::{image} /explore-analyze/images/kibana-rule-concepts-summary.svg
 :alt: Rules
 :::
 

@@ -31,7 +31,7 @@ The following debugging tools are available:
 
 **{{rules-ui}}** in **{{stack-manage-app}}** lists the rules available in the space you’re currently in. When you click a rule name, you are navigated to the [details page](create-manage-rules.md#rule-details) for the rule, where you can see currently active alerts. The start date on this page indicates when a rule is triggered, and for what alerts. In addition, the duration of the condition indicates how long the instance is active.
 
-:::{image} ../../../images/kibana-rule-details-alerts-inactive.png
+:::{image} /explore-analyze/images/kibana-rule-details-alerts-inactive.png
 :alt: Alerting management details
 :screenshot:
 :::
@@ -40,7 +40,7 @@ The following debugging tools are available:
 
 When creating or editing an index threshold rule, you see a graph of the data the rule will operate against, from some date in the past until now, updated every 5 seconds.
 
-:::{image} ../../../images/kibana-index-threshold-chart.png
+:::{image} /explore-analyze/images/kibana-index-threshold-chart.png
 :alt: Index Threshold chart
 :screenshot:
 :::
@@ -77,7 +77,7 @@ The result of this HTTP request (and printed to stdout by [kbn-action](https://g
 
 The **{{stack-manage-app}}** > **{{rules-ui}}** page contains an error banner that helps to identify the errors for the rules:
 
-:::{image} ../../../images/kibana-rules-management-health.png
+:::{image} /explore-analyze/images/kibana-rules-management-health.png
 :alt: Rule management page with the errors banner
 :screenshot:
 :::

@@ -12,7 +12,7 @@ The **{{stack-manage-app}}** > **{{rules-ui}}** UI provides a cross-app view of
 
 You can find **Rules** in **Stack Management** > **Alerts and insights** > **Rules** in {{kib}} or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
-![Rules page navigation](../../../images/kibana-stack-management-rules.png "")
+![Rules page navigation](/explore-analyze/images/kibana-stack-management-rules.png "")
 
 **{{rules-ui}}** provides a central place to:
 
@@ -43,7 +43,7 @@ Depending on the {{kib}} app and context, you might be prompted to choose the ty
 
 Each rule type provides its own way of defining the conditions to detect, but an expression formed by a series of clauses is a common pattern. For example, in an {{es}} query rule, you specify an index, a query, and a threshold, which uses a metric aggregation operation (`count`, `average`, `max`, `min`, or `sum`):
 
-:::{image} ../../../images/kibana-rule-types-es-query-conditions.png
+:::{image} /explore-analyze/images/kibana-rule-types-es-query-conditions.png
 :alt: UI for defining rule conditions in an {{es}} query rule
 :screenshot:
 :::
@@ -68,14 +68,14 @@ If you choose a custom action interval, it cannot be shorter than the rule’s c
 
 For example, if you create an {{es}} query rule, you can send notifications that summarize the new, ongoing, and recovered alerts on a custom interval:
 
-:::{image} ../../../images/kibana-es-query-rule-action-summary.png
+:::{image} /explore-analyze/images/kibana-es-query-rule-action-summary.png
 :alt: UI for defining alert summary action in an {{es}} query rule
 :screenshot:
 :::
 
 When you choose to run actions for each alert, you must specify an action group. Each rule type has a set of valid action groups, which affect when an action runs. For example, you can set **Run when** to `Query matched` or `Recovered` for the {{es}} query rule:
 
-:::{image} ../../../images/kibana-es-query-rule-recovery-action.png
+:::{image} /explore-analyze/images/kibana-es-query-rule-recovery-action.png
 :alt: UI for defining a recovery action
 :screenshot:
 :::
@@ -105,7 +105,7 @@ To get notified only once when a server exceeds the threshold, you can set the a
 
 You can pass rule values to an action at the time a condition is detected. To view the list of variables available for your rule, click the "add rule variable" button:
 
-:::{image} ../../../images/kibana-es-query-rule-action-variables.png
+:::{image} /explore-analyze/images/kibana-es-query-rule-action-variables.png
 :alt: Passing rule values to an action
 :screenshot:
 :::
@@ -116,13 +116,13 @@ For more information about common action variables, refer to [*Rule action varia
 
 The rule listing enables you to quickly snooze, disable, enable, or delete individual rules. For example, you can change the state of a rule:
 
-![Use the rule status dropdown to enable or disable an individual rule](../../../images/kibana-individual-enable-disable.png "")
+![Use the rule status dropdown to enable or disable an individual rule](/explore-analyze/images/kibana-individual-enable-disable.png "")
 
 If there are rules that are not currently needed, disable them to stop running checks and reduce the load on your cluster.
 
 When you snooze a rule, the rule checks continue to run on a schedule but alerts will not generate actions. You can snooze for a specified period of time, indefinitely, or schedule single or recurring downtimes:
 
-![Snooze notifications for a rule](../../../images/kibana-snooze-panel.png "")
+![Snooze notifications for a rule](/explore-analyze/images/kibana-snooze-panel.png "")
 
 When a rule is in a snoozed state, you can cancel or change the duration of this state.
 
@@ -143,16 +143,16 @@ You can determine the health of a rule by looking at the **Last response** in **
 
 Click the rule name to access a rule details page:
 
-:::{image} ../../../images/kibana-rule-details-alerts-active.png
+:::{image} /explore-analyze/images/kibana-rule-details-alerts-active.png
 :alt: Rule details page with multiple alerts
 :screenshot:
 :::
 
 In this example, the rule detects when a site serves more than a threshold number of bytes in a 24 hour period. Four sites are above the threshold. These are called alerts - occurrences of the condition being detected - and the alert name, status, time of detection, and duration of the condition are shown in this view. Alerts come and go from the list depending on whether the rule conditions are met. For more information about alerts, go to [*View alerts*](view-alerts.md).
 
-If there are rule actions that failed to run successfully, you can see the details on the **History** tab. In the **Message** column, click the warning or expand icon ![double arrow icon to open a flyout with the document details](../../../images/kibana-expand-icon-2.png "") or click the number in the **Errored actions** column to open the **Errored Actions** panel. In this example, the action failed because the [`xpack.actions.email.domain_allowlist`](kibana://reference/configuration-reference/alerting-settings.md#action-config-email-domain-allowlist) setting was updated and the action’s email recipient is no longer included in the allowlist:
+If there are rule actions that failed to run successfully, you can see the details on the **History** tab. In the **Message** column, click the warning or expand icon ![double arrow icon to open a flyout with the document details](/explore-analyze/images/kibana-expand-icon-2.png "") or click the number in the **Errored actions** column to open the **Errored Actions** panel. In this example, the action failed because the [`xpack.actions.email.domain_allowlist`](kibana://reference/configuration-reference/alerting-settings.md#action-config-email-domain-allowlist) setting was updated and the action’s email recipient is no longer included in the allowlist:
 
-:::{image} ../../../images/kibana-rule-details-errored-actions.png
+:::{image} /explore-analyze/images/kibana-rule-details-errored-actions.png
 :alt: Rule histor page with alerts that have errored actions
 :screenshot:
 :::
@@ -172,7 +172,7 @@ Some rule types cannot be exported through this interface:
 
 Rules are disabled on export. You are prompted to re-enable the rule on successful import.
 
-:::{image} ../../../images/kibana-rules-imported-banner.png
+:::{image} /explore-analyze/images/kibana-rules-imported-banner.png
 :alt: Rules import banner
 :screenshot:
 :::
@@ -17,7 +17,7 @@ In **{{stack-manage-app}}** > **{{rules-ui}}**, click **Create rule**. Select th
 
 When you create a tracking containment rule, you must define the conditions that it detects. For example:
 
-:::{image} ../../../images/kibana-alert-types-tracking-containment-conditions.png
+:::{image} /explore-analyze/images/kibana-alert-types-tracking-containment-conditions.png
 :alt: Creating a tracking containment rule in Kibana
 :screenshot:
 :::
@@ -41,7 +41,7 @@ For each action, you must choose a connector, which provides connection informat
 
 After you select a connector, you must set the action frequency. You can choose to create a summary of alerts on each check interval or on a custom interval. Alternatively, you can set the action frequency such that actions run for each alert. Choose how often the action runs (at each check interval, only when the alert status changes, or at a custom action interval). You must also choose an action group, which indicates whether the action runs when the containment condition is met or when an entity is no longer contained. Each connector supports a specific set of actions for each action group. For example:
 
-:::{image} ../../../images/kibana-alert-types-tracking-containment-action-options.png
+:::{image} /explore-analyze/images/kibana-alert-types-tracking-containment-action-options.png
 :alt: Action frequency options for an action
 :screenshot:
 :::
@@ -52,7 +52,7 @@ You can further refine the conditions under which actions run by specifying that
 
 You can pass rule values to an action to provide contextual details. To view the list of variables available for each action, click the "add rule variable" button. For example:
 
-:::{image} ../../../images/kibana-alert-types-tracking-containment-rule-action-variables.png
+:::{image} /explore-analyze/images/kibana-alert-types-tracking-containment-rule-action-variables.png
 :alt: Passing rule values to an action
 :screenshot:
 :::

@@ -9,7 +9,7 @@ mapped_urls:
 
 # Maintenance windows
 
-This content applies to: [![Observability](../../../images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](../../../images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md)
+This content applies to: [![Observability](/explore-analyze/images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](/explore-analyze/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md)
 
 
 ::::{warning}
@@ -40,7 +40,7 @@ In **Management > {{stack-manage-app}} > Maintenance Windows** or **{{project-se
 
 When you create a maintenance window, you must provide a name and a schedule. You can optionally configure it to repeat daily, monthly, yearly, or on a custom interval.
 
-:::{image} ../../../images/kibana-create-maintenance-window.png
+:::{image} /explore-analyze/images/kibana-create-maintenance-window.png
 :alt: The Create Maintenance Window user interface in {{kib}}
 :screenshot:
 :::
@@ -49,7 +49,7 @@ By default, maintenance windows affect all categories of rules. The category-spe
 
 If you turn on **Filter alerts**, you can use KQL to filter the alerts affected by the maintenance window:
 
-:::{image} ../../../images/kibana-create-maintenance-window-filter.png
+:::{image} /explore-analyze/images/kibana-create-maintenance-window-filter.png
 :alt: The Create Maintenance Window user interface in {{kib}} with alert filters turned on
 :screenshot:
 :::

@@ -435,4 +435,4 @@ You can create the following Mustache template in the email action for your rule
 
 When rendered into Markdown and then HTML and viewed in an email client, it looks like this:
 
-![Email template rendered in an email client](../../../images/kibana-email-mustache-template-rendered.png "")
+![Email template rendered in an email client](/explore-analyze/images/kibana-email-mustache-template-rendered.png "")
Original file line number	Diff line number	Diff line change
Expand Up		@@ -435,4 +435,4 @@ You can create the following Mustache template in the email action for your rule

		When rendered into Markdown and then HTML and viewed in an email client, it looks like this:

		![Email template rendered in an email client](../../../images/kibana-email-mustache-template-rendered.png "")
		![Email template rendered in an email client](/explore-analyze/images/kibana-email-mustache-template-rendered.png "")