Create alerts with OpenSearch® API#

OpenSearch® alerting feature sends notifications when data from one or more indices meets certain conditions that can be customized. Use case examples are such as monitoring for HTTP status code 503, CPU load average above certain percentage or watch for counts of a specific keyword in logs for a specific amount of interval, notification to be configured to be sent via email, slack or custom webhooks and other destination, in this example we are using slack as the destination.

In the following example, we are creating an alert programmatically by using OpenSearch Alerting API. We are using a sample-host-health index as datasource to create a simple alert to check cpu load, action will be triggered when average of cpu_usage_percentage over 3 minutes is above 75%

OpenSearch API Alerting API URL can be copied from Aiven console:

Click the Overview tab > OpenSearch under Connection Information > Service URI append _plugins/_alerting/monitors to the Service URI.


Save the JSON below into cpu_alert.json

  "name": "High CPU Monitor",
  "type": "monitor",
  "monitor_type": "query_level_monitor",
  "enabled": true,
  "schedule": {
    "period": {
      "unit": "MINUTES",
      "interval": 1
  "inputs": [
      "search": {
        "indices": [
        "query": {
          "size": 0,
          "aggregations": {
            "metric": {
              "avg": {
                "field": "cpu_usage_percentage"
          "query": {
            "bool": {
              "filter": [
                  "range": {
                    "timestamp": {
                      "gte": "{{period_end}}||-3m",
                      "lte": "{{period_end}}",
                      "format": "epoch_millis"
  "triggers": [
      "query_level_trigger": {
        "id": "lNbSt30BZGFGbIUYx2bb",
        "name": "high_cpu",
        "severity": "1",
        "condition": {
          "script": {
            "source": "return ctx.results[0].aggregations.metric.value == null ? false : ctx.results[0].aggregations.metric.value > 75",
            "lang": "painless"
        "actions": [
            "id": "ldbSt30BZGFGbIUYx2bb",
            "name": "slack",
            "destination_id": "gkQgp30BRvA_n4QUwZDL",
            "message_template": {
              "source": "Monitor {{}} just entered alert status. Please investigate the issue.\n  - Trigger: {{}}\n  - Severity: {{ctx.trigger.severity}}\n  - Period start: {{ctx.periodStart}}\n  - Period end: {{ctx.periodEnd}}",
              "lang": "mustache"
            "throttle_enabled": false,
            "subject_template": {
              "source": "High CPU Test Alert",
              "lang": "mustache"
  "ui_metadata": {
    "schedule": {
      "timezone": null,
      "frequency": "interval",
      "period": {
        "unit": "MINUTES",
        "interval": 1
      "daily": 0,
      "weekly": {
        "tue": false,
        "wed": false,
        "thur": false,
        "sat": false,
        "fri": false,
        "mon": false,
        "sun": false
      "monthly": {
        "type": "day",
        "day": 1
      "cronExpression": "0 */1 * * *"
    "search": {
      "searchType": "graph",
      "timeField": "timestamp",
      "aggregations": [
          "aggregationType": "avg",
          "fieldName": "cpu_usage_percentage"
      "groupBy": [],
      "bucketValue": 3,
      "bucketUnitOfTime": "m",
      "where": {
        "fieldName": [],
        "fieldRangeEnd": 0,
        "fieldRangeStart": 0,
        "fieldValue": "",
        "operator": "is"
    "monitor_type": "query_level_monitor"

Use curl to create the alert

curl -XPOST \ \
-H 'Content-type: application/json' -T cpu_alert.json