Elastic
Elastic is a data visualization, analysis, and observability platform that helps monitor your system data in real time. This workflow lets you send actionable alerts to on-call resources when xMatters gets a signal from Elastic through the xMatters connector in Elastic. Responders can initiate an incident with the press of a button, or you can build on the flow to perform automated resolution tasks.
How it works
When an alert is generated in Elastic, it sends a JSON-formatted webhook to xMatters based on user-defined alert rules. An Elastic Alerts trigger in xMatters parses the webhook and initiates a flow. The webhook includes essential alert data you can use to enrich notifications to users or when building automated tasks.
Install the workflow
The following instructions describe how to install the workflow through the xMatters one-click installation process.
- Go to the Workflow Templates page and click the Elastic tile.
- On the Set up the Workflow tab, give the workflow a name that identifies its purpose (this must be unique in your instance), add an optional description, and set the default incident type (if applicable). Any built-in Initiate Incident steps in the workflow will automatically be set to the selected incident type.
- You can edit these later, if needed.
- You can edit these later, if needed.
- Click Next to set up the connection.
- Choose the authentication method. A trigger URL is generated based on the selected authentication method.
- Copy the trigger URL — you’ll use this to configure the webhook in Elastic.
- The trigger URL includes the recipients parameter, which specifies who should be notified. By default, this parameter is set to notify you (the logged in user), but you can set it to target any user or group you want.
- The trigger URL includes the recipients parameter, which specifies who should be notified. By default, this parameter is set to notify you (the logged in user), but you can set it to target any user or group you want.
- Send a test signal to the trigger URL to test the connection.
- Click Open Workflow to view and customize the workflow, or Close to return to the Workflows page.
Configure Elastic to send requests to the trigger URL
To have Elastic send alerts to the flow trigger, configure the xMatters connector with the trigger URL.
- In Elastic, select the project you want to connect to xMatters.
- Under Kibana, select Stack Management.
- Click Alerts and Actions, then select Connectors from the left-hand menu.
- Select xMatters from the list of available connectors.
- On the xMatters connector window, give the connector a unique name.
- Select whether to use Basic or URL Authentication.
- For Basic Authentication:
- Initiation URL: paste the trigger URL you copied from the Elastic Alerts (Connector) trigger in Flow Designer into the Initiation URL field.
- Add the target names of any recipients you want to notify when the alert fires. For example, if you want to notify Emma Pearson, Mary McBride, and the on-call members in the Monitor Team responsible for the service, you'd add ?recipients=epearson,mmcbride,monitor%20team to the URL. You must URL-encode any special characters or spaces in the target names.
- Enter the Username and Password for the authenticating user.
- Initiation URL: paste the trigger URL you copied from the Elastic Alerts (Connector) trigger in Flow Designer into the Initiation URL field.
- For URL Authentication:
- Initiation URL: paste the xMatters trigger URL you copied from the Elastic Alerts (Connector) trigger in Flow Designer.
- Add the target names of any recipients you want to notify when the alert fires. For example, if you want to notify Barry Gull and the on-call members in the Antartes Team, you'd add &recipients=bgull,Antares%20team to the URL. You must URL-encode any special characters or spaces in the target names.
- For Basic Authentication:
- Click Save, or Save & test to test the connector.
If you click Save & test, the Edit connector window opens, and you can set parameters for your test.
- Expand the Severity drop-down menu to select a severity level.
- Add any optional tags.
- Click Run to run the test.
The connector sends the test request to xMatters and the results of the test are displayed in the Results section of the window.
- Click Save & close.
You're ready to use the connector to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.
Set recipients in the trigger URL
The trigger expects the recipients in the trigger URL. When you copy the URL from xMatters, it includes the recipients parameter: recipients=<yourname>. Of course, you don’t want to receive all the alerts.
To change the recipients for alerts from this webhook, swap out your name for the people or groups you want to target.
- For URL authentication, use an ampersand to attach recipients. For example, if you want to notify Emma Pearson and the on-call members in the group responsible for the Antares service, you'd add &recipients=epearson,antares to the URL.
- For other authentication types, use a question mark to attach recipients. For example, if you want to notify Barry Gull and the on-call members in the group responsible for the Cassiopeia service, you'd add ?recipients=bgull,cassiopeia to the URL.
Remember to URL-encode any special characters, including spaces, in your group names.
We recommend using groups so you can take advantage of the xMatters group features — rotations, escalations, and absences — to reach the right on-call people to jump on an issue.
How to use the workflow
When a condition you've set fires, it sends a signal to xMatters, which creates an alert and notifies the individual or the on-call members of the people or groups you set as recipients in the webhook URL. When the trigger receives a signal saying the issue is resolved, it automatically terminates related alerts in xMatters.
Notification responses and associated actions
The person responding to the notification has the following response options:
- Acknowledge: Acknowledges the notifications and stops escalations.
- Escalate: Immediately escalates the alert to the next on-call resolver in a targeted group.
- Close: Ends the xMatters alert and stops notifying all targeted recipients.
- Initiate Incident: Initiates an incident in xMatters.
Next Steps
Now that you've installed the workflow, you can use it as-is, or customize it to suit your needs better. Here are some examples of things you can add to the workflow to customize it:
- Use Slack, Zoom, and Microsoft Teams steps to add collaboration channels to the flow.
- Change the severity of incidents created when a recipient selects the Initiate Incident response.
- Update the message sent to resolvers to include the information most relevant to your team.
- Use the Elastic Alerts triggers to build your own custom flows.
Previous version
While the Elastic workflow that relies on a generic webhook is no longer available, the configuration instructions for generic webhooks are included below for anyone who has it installed in their system already.
Configure a webhook
- In Elastic, select the project you want to connect to xMatters.
- Under Kibana, select Stack Management.
- Click Alerts and Actions, then select Connectors from the left-hand menu.
- In the URL field paste the xMatters trigger URL you copied from the Elastic trigger in Flow Designer.
- Add the target names of any recipients you want to notify when the alert fires.
- For example, if you want to notify Emma Pearson, Mary McBride, and the on-call members in the Monitor Team responsible for the service, you'd add ?recipients=epearson,mmcbride,monitor%20team to the URL.
- You must URL-encode any special characters or spaces in the target names.
- If you use Basic Authentication, complete the Authentication information. If you're using URL Authentication, turn this toggle off.
- Click Save, or Save & test to test the webhook.
Now we need to create two alert actions; one that sends a signal to trigger xMatters when something has happened in Elastic, and the other that tells xMatters the trigger is cleared in Elastic. First let's create an Alert action.
- In the Alerts and Actions section, click Create alert and select Webhook from the list of options.
- On the Create alert page, fill in the following fields:
- Name:xMatters
- Alert type: Select an alert type from the list of available options.
- To create an alert signal, under Actions expand the webhook connector you just created.
- From the Run when drop-down menu, select the alert type you want to send. For example, Threshold met.
- In the Body field, paste the Configuration Payload you copied from the Elastic Alerts trigger on the Flow Designer canvas:
Copy
{
"alertActionGroup": "{{alertActionGroup}}",
"alertActionGroupName": "{{alertActionGroupName}}",
"alertId": "{{alertId}}",
"alertInstanceId": "{{alertInstanceId}}",
"alertName": "{{alertName}}",
"date": "{{date}}",
"spaceId": "{{spaceId}}",
"tags": "{{tags}}"
}.
- Click Save.
You'll then need to create another action that becomes the Clear signal.
- In the Alerts and Actions section, click Create alert and select Webhook from the list of options.
- Under Actions, select the webhook connector you created.
- Click the Run when drop-down menu and select Recovered.
- In the Body field, paste the Configuration Payload you copied from the Elastic Alerts trigger on the Flow Designer canvas:
Copy
{
"alertActionGroup": "{{alertActionGroup}}",
"alertActionGroupName": "{{alertActionGroupName}}",
"alertId": "{{alertId}}",
"alertInstanceId": "{{alertInstanceId}}",
"alertName": "{{alertName}}",
"date": "{{date}}",
"spaceId": "{{spaceId}}",
"tags": "{{tags}}"
}. - Click Save.
The completed actions are listed in the Actions section.
You're ready to use the webhook to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.