Kibana Connectors

Name: Kibana Connectors
Author: elastic

elastic/agent-skills

Wire Kibana alerting rules to Slack, email, webhooks, and other connectors with correct per-action frequency and Mustache variables.

Overview

Kibana Connectors is an agent skill for the Operate phase that documents how to structure Kibana alerting rule actions, connector params, and Mustache variables for production notifications.

Install

npx skills add https://github.com/elastic/agent-skills --skill kibana-connectors

What is this skill?

Per-action frequency objects with summary, notify_when, and throttle instead of deprecated rule-level fields
Mustache variable tables for common and rule-type-specific alert context in connector params
Action group semantics (query matched, threshold met, Recovered) discoverable via GET /api/alerting/rule_types
JSON action structure linking connector id, group, params, and frequency in one place
Design reference for Elastic Stack operators using Kibana Alerting and Actions

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 502 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You have Kibana rules firing but connector actions use wrong groups, deprecated throttle settings, or empty Mustache context in messages.

Who is it for?

Solo builders self-hosting Elastic Stack who configure alerting rules and need accurate action JSON and template variables.

Skip if: Teams with no Kibana deployment or who only need generic webhook tutorials unrelated to Elastic alerting APIs.

When should I use this skill?

When configuring Kibana rule actions, connector message templates, or migrating off deprecated rule-level notify_when and throttle.

What do I get? / Deliverables

You configure per-action frequency and templated params that match rule types and connector APIs so alerts notify correctly on match, throttle, and recovery.

Rule action JSON with per-action frequency
Mustache-param message bodies for connector channels

Recommended Skills

Azure Deploymicrosoft/azure-skills

Azure Deploy is a Microsoft agent skill that executes cloud releases for applications that are already planned and valid…374k installs·1.2k stars

Azure Preparemicrosoft/azure-skills

Azure Prepare is Microsoft's skill for getting applications ready to run on Azure—writing the deployment plan, generatin…374k installs·1.2k stars

Azure Storagemicrosoft/azure-skills

Azure Storage skill helps agents pick the right Azure storage service—Blob for objects, Files for SMB shares, Queues for…374k installs·1.2k stars

Azure Validatemicrosoft/azure-skills

Microsoft-guided preflight validation for Azure deployments including IaC, identity, and service-specific readiness.374k installs·1.2k stars

Appinsights Instrumentationmicrosoft/azure-skills

appinsights-instrumentation is a Microsoft Azure-skills package that walks solo builders through enabling Application In…374k installs·1.2k stars

Azure Resource Lookupmicrosoft/azure-skills

Azure Resource Lookup is a Microsoft agent skill that helps solo builders and small teams answer “what do I have in Azur…373k installs·1.2k stars

Journey fit

Primary fit

OperateMonitoring & observability

Alerting connectors are configured after the stack is running, when solo builders need reliable incident notification without editing rules blindly in the UI. Monitoring is the canonical shelf because the skill documents rule actions, throttling, and template variables for live alert delivery—not initial cluster install.

Also useful

ShipCI/CD & deploy

How it compares

Use as an Elastic-specific alerting reference instead of generic notification skill docs that omit action groups and Mustache context.

Common Questions / FAQ

Who is kibana-connectors for?

It is for indie operators and small teams running Kibana who wire detection and threshold rules to external connectors and want API-accurate action and template guidance.

When should I use kibana-connectors?

Use it in Operate when tuning incident routing, fixing deprecated rule-level notify_when, or authoring Mustache messages for query-matched and recovery action groups.

Is kibana-connectors safe to install?

Review the Security Audits panel on this Prism page and inspect the skill source in your agent before granting network or secrets access to live clusters.

SKILL.md

READMESKILL.md - Kibana Connectors

# Connectors and Actions in Rules: Design Reference

## Action Structure

Each action in a rule references a connector and has its own `frequency` configuration:

```json
{
  "id": "<connector-id>",
  "group": "query matched",
  "params": { "message": "{{rule.name}} fired: {{context.reason}}" },
  "frequency": {
    "summary": false,
    "notify_when": "onActionGroupChange",
    "throttle": null
  }
}
```

- `group`: The action group (e.g., `"query matched"`, `"threshold met"`, `"Recovered"`). Each rule type defines its
  valid groups. Discover them via `GET /api/alerting/rule_types`.
- `frequency.summary`: `true` for a summary of all alerts; `false` to run per-alert.
- `frequency.notify_when`: `onActionGroupChange` | `onActiveAlert` | `onThrottleInterval`.
- `frequency.throttle`: Minimum interval between repeated notifications (e.g., `"10m"`). Only applies when `notify_when`
  is `onThrottleInterval`.

> **Deprecated:** Do not set `notify_when` or `throttle` at the rule level. These are deprecated in favour of per-action
> `frequency` objects and will be auto-converted if the rule is edited in the Kibana UI.

## Action Variables (Mustache Templates)

Action `params` use [Mustache](https://mustache.github.io/mustache.5.html) syntax to inject rule and alert values at
runtime.

### Common variables (all rule types)

| Variable            | Description                                                   |
| ------------------- | ------------------------------------------------------------- |
| `{{rule.id}}`       | Rule identifier                                               |
| `{{rule.name}}`     | Rule name                                                     |
| `{{rule.tags}}`     | Rule tags                                                     |
| `{{rule.url}}`      | Deep link to rule in Kibana (requires `server.publicBaseUrl`) |
| `{{date}}`          | ISO timestamp when the action was scheduled                   |
| `{{kibanaBaseUrl}}` | Kibana base URL                                               |

### Per-alert variables (`summary: false`)

| Variable                       | Description                                                                  |
| ------------------------------ | ---------------------------------------------------------------------------- |
| `{{alert.id}}`                 | Alert instance ID (e.g., the grouped value like a host name)                 |
| `{{alert.uuid}}`               | Stable UUID for the alert lifecycle                                          |
| `{{alert.actionGroup}}`        | Action group that triggered the action                                       |
| `{{alert.flapping}}`           | Whether the alert is flapping                                                |
| `{{alert.consecutiveMatches}}` | Number of consecutive rule runs that matched                                 |
| `{{context.*}}`                | Rule-type-specific context (e.g., `{{context.reason}}`, `{{context.value}}`) |

### Summary variables (`summary: true`)

| Variable                     | Description                |
| ---------------------------- | -------------------------- |
| `{{alerts.new.count}}`       | Count of new alerts        |
| `{{alerts.ongoing.count}}`   | Count of ongoing alerts    |
| `{{alerts.recovered.count}}` | Count of recovered alerts  |
| `{{alerts.all.count}}`       | Total count                |
| `{{alerts.new.data}}`        | Array of new alert objects |

### Iterating over arrays

For rule types that return multiple hits (e.g., ES Query rules):

```mustache
{{#context.hits}} - {{_source.message}} ({{_source.@timestamp}})
{{/context.hits}}
```

### Debugging templates

Use `{{{.}}}` in any action body to dump the entire variable context as a JSON object. Remove before enabling the rule
in production.

## Mustache Lambdas

Kibana provides built-in lambdas for advanced template rendering:

```mustache
# Round a numeric value
{{#EvalMath}} round(context.value, 2) {{/EvalMath

What is this skill?

Per-action frequency objects with summary, notify_when, and throttle instead of deprecated rule-level fields

Mustache variable tables for common and rule-type-specific alert context in connector params

Action group semantics (query matched, threshold met, Recovered) discoverable via GET /api/alerting/rule_types

JSON action structure linking connector id, group, params, and frequency in one place

Design reference for Elastic Stack operators using Kibana Alerting and Actions

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 502 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

OperateMonitoring & observability

Also useful

ShipCI/CD & deploy

SKILL.md

READMESKILL.md - Kibana Connectors

# Connectors and Actions in Rules: Design Reference

## Action Structure

Each action in a rule references a connector and has its own `frequency` configuration:

```json
{
  "id": "<connector-id>",
  "group": "query matched",
  "params": { "message": "{{rule.name}} fired: {{context.reason}}" },
  "frequency": {
    "summary": false,
    "notify_when": "onActionGroupChange",
    "throttle": null
  }
}
```

- `group`: The action group (e.g., `"query matched"`, `"threshold met"`, `"Recovered"`). Each rule type defines its
  valid groups. Discover them via `GET /api/alerting/rule_types`.
- `frequency.summary`: `true` for a summary of all alerts; `false` to run per-alert.
- `frequency.notify_when`: `onActionGroupChange` | `onActiveAlert` | `onThrottleInterval`.
- `frequency.throttle`: Minimum interval between repeated notifications (e.g., `"10m"`). Only applies when `notify_when`
  is `onThrottleInterval`.

> **Deprecated:** Do not set `notify_when` or `throttle` at the rule level. These are deprecated in favour of per-action
> `frequency` objects and will be auto-converted if the rule is edited in the Kibana UI.

## Action Variables (Mustache Templates)

Action `params` use [Mustache](https://mustache.github.io/mustache.5.html) syntax to inject rule and alert values at
runtime.

### Common variables (all rule types)

| Variable            | Description                                                   |
| ------------------- | ------------------------------------------------------------- |
| `{{rule.id}}`       | Rule identifier                                               |
| `{{rule.name}}`     | Rule name                                                     |
| `{{rule.tags}}`     | Rule tags                                                     |
| `{{rule.url}}`      | Deep link to rule in Kibana (requires `server.publicBaseUrl`) |
| `{{date}}`          | ISO timestamp when the action was scheduled                   |
| `{{kibanaBaseUrl}}` | Kibana base URL                                               |

### Per-alert variables (`summary: false`)

| Variable                       | Description                                                                  |
| ------------------------------ | ---------------------------------------------------------------------------- |
| `{{alert.id}}`                 | Alert instance ID (e.g., the grouped value like a host name)                 |
| `{{alert.uuid}}`               | Stable UUID for the alert lifecycle                                          |
| `{{alert.actionGroup}}`        | Action group that triggered the action                                       |
| `{{alert.flapping}}`           | Whether the alert is flapping                                                |
| `{{alert.consecutiveMatches}}` | Number of consecutive rule runs that matched                                 |
| `{{context.*}}`                | Rule-type-specific context (e.g., `{{context.reason}}`, `{{context.value}}`) |

### Summary variables (`summary: true`)

| Variable                     | Description                |
| ---------------------------- | -------------------------- |
| `{{alerts.new.count}}`       | Count of new alerts        |
| `{{alerts.ongoing.count}}`   | Count of ongoing alerts    |
| `{{alerts.recovered.count}}` | Count of recovered alerts  |
| `{{alerts.all.count}}`       | Total count                |
| `{{alerts.new.data}}`        | Array of new alert objects |

### Iterating over arrays

For rule types that return multiple hits (e.g., ES Query rules):

```mustache
{{#context.hits}} - {{_source.message}} ({{_source.@timestamp}})
{{/context.hits}}
```

### Debugging templates

Use `{{{.}}}` in any action body to dump the entire variable context as a JSON object. Remove before enabling the rule
in production.

## Mustache Lambdas

Kibana provides built-in lambdas for advanced template rendering:

```mustache
# Round a numeric value
{{#EvalMath}} round(context.value, 2) {{/EvalMath

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is kibana-connectors for?

When should I use kibana-connectors?

Is kibana-connectors safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is kibana-connectors for?

When should I use kibana-connectors?

Is kibana-connectors safe to install?

SKILL.md