Documentationbreadcrumb arrow Pluginsbreadcrumb arrow OpenSearchbreadcrumb arrow Alerting
Grafana Cloud Enterprise Open source
Last reviewed: March 26, 2026

OpenSearch alerting

The OpenSearch data source supports Grafana’s unified alerting system. You can create alert rules that query OpenSearch data and trigger notifications when specified conditions are met. Alert queries are executed on the Grafana server through the backend plugin, not in the browser.

For more information about Grafana alerting, refer to the Grafana alerting documentation.

Before you begin

Supported query types

Alerting works with queries that return numeric time-series data that can be evaluated against a threshold or condition. The following table describes alerting support for each query type:

Query typeAlerting supportNotes
Lucene - MetricYesUse metric aggregations with a Date Histogram bucket aggregation.
Lucene - LogsNoReturns log data, not numeric time series.
Lucene - Raw DataNoReturns raw documents, not numeric time series.
Lucene - Raw DocumentNoReturns raw document JSON, not numeric time series.
Lucene - TracesNoReturns trace data, not numeric time series.
PPL - Time seriesYesRequires exactly two columns: a time field and a numeric value field.
PPL - TableLimitedReturns table frames; may work for simple threshold conditions.
PPL - LogsNoReturns log data, not numeric time series.

Note

The default PPL format is Table. To use PPL queries with alerting, change the Format drop-down to Time series in the query editor.

Create an alert rule

To create an alert rule using OpenSearch data:

  1. Navigate to Alerting > Alert rules.
  2. Click New alert rule.
  3. Select the OpenSearch data source.
  4. Build a query that returns numeric time-series data (refer to the examples in the following section).
  5. Define the alert condition, for example, when the average value exceeds a threshold.
  6. Configure notification settings.
  7. Click Save rule and exit.

For detailed instructions, refer to Create alert rules.

Alert query examples

The following examples show queries that produce data compatible with alerting evaluation.

Lucene metric query

To alert on the average value of a numeric field, create a Lucene Metric query:

  1. Set Lucene Query Type to Metric.
  2. Enter a Lucene query to filter documents, for example status:[500 TO 599].
  3. Select Average as the metric aggregation and choose a numeric field.
  4. Set the bucket aggregation to Date Histogram with an appropriate interval.

This produces a time series of average values that can be evaluated against a threshold condition, for example “alert when average response time exceeds 2000ms.”

PPL time-series query

To alert using a PPL query, set the Format to Time series and write a query that returns exactly two columns – a timestamp and a numeric value:

source = my_index | eval dateValue = timestamp(timestamp) | stats count(response) by dateValue

This produces a time series of response counts that can be evaluated against a threshold condition, for example “alert when count exceeds 1000 per interval.”

Note

If the PPL query returns more or fewer than two columns, or if the value column isn’t numeric, the query fails with an error such as “response should have 2 fields” or “found non-numerical value in value field.”