• Persistence: all task state and scheduling is stored in Elasticsearch, so if Kibana is restarted, alerts and actions will pick up where they left off.
• Scaling: multiple Kibana instances can read from and update the same task queue in Elasticsearch, allowing the alerting and action load to be distributed across instances. In cases where a Kibana instance no longer has capacity to run alert checks or actions, capacity can be increased by adding additional Kibana instances.

• Tasks are then claiming them by updating them in the Elasticsearch index, using optimistic concurrency control to prevent conflicts. Each Kibana instance can run a maximum of 10 concurrent tasks, so a maximum of 10 tasks are claimed each interval.
• Tasks are run on the Kibana server.
• In the case of alerts which are recurring background checks, upon completion the task is scheduled again according to the .

• Alerts use a small check interval. The lowest interval possible is 3 seconds, though intervals of 30 seconds or higher are recommended.
• Long running tasks occupy slots for an extended time, leaving fewer slots for other tasks.

Most Popular

• Intro to Kibana: Video