Overview
Migrating alerts from the ELK Stack (Kibana Alerting, ElastAlert) to SigNoz involves translating your alert logic from Elasticsearch queries to SigNoz's OpenTelemetry-native alerting engine (powered by Prometheus Alertmanager).
This guide helps you map your existing alert rules and notification channels to SigNoz.
Prerequisites
- A SigNoz account (SigNoz Cloud or Self-Hosted).
- List of existing alert rules and notification channels from Kibana or ElastAlert.
Migration Steps
Step 1: Set Up Notification Channels
Before migrating rules, configure your notification channels in SigNoz.
Supported Notification Channels
| Channel | ELK Stack | SigNoz | Notes |
|---|---|---|---|
| ✓ | ✓ | Standard integration | |
| Slack | ✓ | ✓ | Standard integration |
| MS Teams | ✓ | ✓ | Standard integration |
| PagerDuty | ✓ | ✓ | Standard integration |
| OpsGenie | ✓ | ✓ | Standard integration |
| Webhook | ✓ | ✓ | Generic integration |
| Incident.io | Via Webhook | ✓ | Native or Webhook |
| Index | ✓ | - | Not supported |
See Alerts Notification Channel documentation for setup details.
Step 2: Translate Alert Logic
You need to map your ELK alert types to SigNoz alert types.
| ELK Rule Type | SigNoz Alert Type | Description |
|---|---|---|
| Metric Threshold | Metric Alert | Alert when a metric crosses a threshold (e.g., CPU > 90%) |
| Log Threshold | Log Alert | Alert on count of logs matching a query (e.g., > 10 errors/min) |
| APM Latency/Error | Trace Alert | Alert on span duration or error status |
| Spike/Anomaly | Anomaly Alert | Detect deviations from normal patterns |
| ElastAlert Frequency | Log Alert | Count events in a time window |
| ElastAlert Flatline | Log/Metric Alert | Alert when count drops below threshold |
Step 3: Convert Queries
Translate your KQL/Lucene queries to SigNoz queries.
| Query Logic | Kibana (KQL) | SigNoz (ClickHouse SQL) |
|---|---|---|
| Field Match | status:500 | attributes_string['status'] = '500' |
| Text Match | message:"failed" | body ILIKE '%failed%' |
| Boolean | env:prod AND level:error | attributes_string['env']='prod' AND attributes_string['level']='error' |
| Range | duration:>1000 | attributes_int['duration'] > 1000 |
Step 4: Create Alert Rules
- Navigate to Alerts in SigNoz.
- Click + New Alert.
- Select the alert type (Metric, Log, Trace, etc.).
- Build your query using the Query Builder or enter the translated SQL/PromQL.
- Set the threshold and evaluation window.
- Select your notification channel.
Infrastructure as Code (Terraform)
If you managed ELK alerts with Terraform or ElastAlert YAMLs, you can use the SigNoz Terraform Provider to manage SigNoz alerts as code.
Validate
To confirm that your alerts are migrated correctly:
- Test Trigger: Temporarily lower thresholds to trigger the alert.
- Verify Notification: Check if the notification is received on the configured channel.
- Check Alert Status: Verify the alert shows as "Firing" in the SigNoz UI.
Troubleshooting
Alerts not triggering
- Check Data: Ensure the underlying data (logs/metrics) is present.
- Verify Query: Run the query in Query Builder to ensure it returns results.
- Check Thresholds: Ensure the condition is actually met.
- Evaluation Window: Ensure the condition persists for the duration of the evaluation window.
Notifications not received
- Test Channel: Use the "Test" button in channel configuration.
- Check Spam: For email, check spam folders.
- Verify Webhook: Ensure webhook URLs are reachable from SigNoz.
