Add query structure example

_observing-your-data/alerting/dashboards-alerting.md

@@ -9,84 +9,95 @@
 Introduced 2.9
 {: .label .label-purple }
 
-Create, manage, and take action on your alerts in a single, consolidated view and identify and resolve issues quickly. Use the **Dashboard** interface to:
+Create, manage, and take action on your alerts in a single, consolidated view and identify and resolve issues quickly through the **Dashboards** application in OpenSearch Dashboards. 
 
-- Set up, add, and adjust rules and conditions that trigger alerts and notifications.
-- Create graphs that show trends and patterns and build intuitive dashboards to stay informed of important metrics and data points in real time.
-- Monitor your alerts in one place with at-a-glance views.
-
-The following image gives you a snapshot of the Dashboard interface. 
-
-<img src="{{site.url}}{{site.baseurl}}/images/dashboards/alerting-dashboard.png" alt="Example alerting visualization" width="800" height="800">
+<img src="{{site.url}}{{site.baseurl}}//images/dashboards/dashboards-app.png" alt="Alerting interface in OpenSearch Dashboards" width="250"/>
 
 ## Getting started 
 
-Before getting started, you must have:
+Before getting started with Alerting in OpenSearch Dashboards, you must have:
 
 - Installed OpenSearch and OpenSearch Dashboards version 2.9 or later. See [Installing OpenSearch]({{site.url}}{{site.baseurl}}/install-and-configure/install-opensearch/index/).
-- Installed the Alerting and Notifications Dashboards plugins. See [Managing OpenSearch Dashboards plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/) to get started.
+- Installed the Alerting, Anomaly Detection, and Notifications Dashboards plugins. See [Managing OpenSearch Dashboards plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/).
+- Started your local environment. The [OpenSearch Playground](https://playground.opensearch.org/app/home) is read-only, so you should use your local environment to perform the steps in the following tutorials.
 
 ## Configuring admin settings
 
-Users can only access, create, or manage alerts for resources for which they have permissions. Access to alerting dashboards and visualizations is controlled by OpenSearch and OpenSearch Dashboards permissions. It is enabled by default and appears as a feature under **Dashboards Management** > **Advanced Settings** > **Visualization**. If the setting is disabled, it does not appear. You can disable the setting at the cluster level in the `opensearch-dashboards.yml` file.
+Users can only access, create, or manage alerts for resources for which they have permissions. Access to alerting dashboards and visualizations is controlled by OpenSearch and OpenSearch Dashboards permissions. 
 
-## General requirements for alerting visualizations
+The alerting dashboards and visualizations setting is enabled by default and is configurable from within **Dashboards Management** > **Advanced Settings** > **Visualization**. If the setting is disabled, the feature does not appear in the settings pane. 
 
-Alerting visualizations are displayed as time-series charts that give you a snapshot of the alert, alert status, last updated time, and reason for the alert. You can display up to 10 metrics on your chart, and each series can be shown as a line on the chart.
+To disable the setting at the cluster level, set `vis_augmenter.pluginAugmentationEnabled: false` in your `opensearch-dashboards.yml` file.
+
+## General requirements for alerting visualizations
 
-Keep in mind the following requirements when setting up or creating alerting visualizations. The visualization:
+Alerting visualizations are displayed as time-series charts that give you a view of the alert, alert status, last updated time, and reason for the alert. You can display up to 10 metrics on your chart, and each series can be shown as a line on the chart.
 
-- Must be a [Vizlib line chart](https://community.vizlib.com/support/solutions/articles/35000107262-vizlib-line-chart-introduction)
-- Must contain at least a Y-axis metric aggregation
-- Must not have non-Y-axis metric aggregation types
-- Must use the date histogram aggregation type for the X-axis bucket
-- Must have an X-axis on the bottom
-- Must define one X-axis aggregation bucket
-- Must have a valid time-based X-axis
+Consider the following requirements when setting up or creating alerting visualizations: 
 
-## Creating alerting monitors
+- The visualization must be a [Vizlib line chart](https://community.vizlib.com/support/solutions/articles/35000107262-vizlib-line-chart-introduction).
+- The visualization must contain at least a Y-axis metric aggregation.
+- The visualization must not have non-Y-axis metric aggregation types.
+- The visualization must use the date histogram aggregation type for the X-axis bucket.
+- The visualization must have an X-axis on the bottom.
+- The visualization must define one X-axis aggregation bucket.
+- The visualization must have a valid time-based X-axis.
 
-By default, when you begin to create the alert monitor workflow using the Dashboard interface, you are presented with a menu-driven interface. This interface provides a range of options that are displayed in full screen, in pop-ups, in pull-downs, or in dropdowns. They allow you to define the metrics that can be monitored, set thresholds, customize triggers that automate workflows, and generate actions when conditions are met. Currently, you can only create [per query monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/monitors/).
+## Creating alerting monitors from within visualizations
 
-To create an alerting monitor: 
+By default, when you begin to create an alert monitor workflow using OpenSearch Dashboards, you are presented with a menu-driven interface. This interface provides a range of options that are displayed in full screen, in pop-ups, in pull-downs, or in dropdowns. These options are used to define the metrics that can be monitored, set thresholds, customize triggers that automate workflows, and generate actions when conditions are met. 
 
-1. Choose **Dashboard** from the OpenSearch Dashboards main menu.
-2. From the **Dashboards** window, select **Create** and then choose **Dashboard**.
-3. Select **Add an existing**, then select the appropriate alerting visualization from the **Add panels** list. The visualization is added to the dashboard.
-4. From the visualization panel, choose the ellipsis icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/}). 
-5. From the **Options** menu, select **Add alerting monitor**.
-6. Input information for **Monitor details** and **Triggers**.
-7. Choose **Create monitor**. The monitor is added to the visualization.  
+You can only create [per query and per bucket monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/per-query-bucket-monitors/) from within OpenSearch Dashboards. All other monitor types require configuration at the cluster-level.
+{: .note}
 
-An example of these steps is shown in the following screenshot.
+To create a monitor, follow these steps:
 
-<img src="{{site.url}}{{site.baseurl}}/images/dashboards/create-monitor-menu.png" alt="Create monitor interface" width="400" height="400">
+1. In the **OpenSearch Plugins** main menu, choose **Alerting**.
+2. Choose **Create monitor**.
+3. Enter the **Monitor details**, including monitor type, method, and schedule.
+4. Select a data source from the dropdown list.	
+5. Define the metrics in the Query section.	
+6. Add a trigger.
+7. Add an action.
+8. Select **Create**.
 
-## Associating monitors
+## Associating monitors with visualizations
 
-You can associate certain monitor types with a visualization using the Dashboard interface instead of the plugin page, giving you a single interface through which to add, view, and edit monitor data.
+You can associate certain monitor types with a visualization using the Dashboard interface instead of the plugin page, giving you a single interface through which to add, view, and edit monitor data. Associating a monitor with an alerting visualization links that monitor to automatically display alerts on the visualization chart it relates to. 
 
 Continuing with the alerting visualization and dashboard created in the preceding section, associate an existing monitor with a visualization by following these steps: 
 
-1. From the visualization panel, choose the ellipsis icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/}).
+1. From the visualization panel, choose the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/} icon.
 2. Select **Associated monitors**.
 3. From the **Select monitor to associate** dropdown menu, select the monitor. Only eligible monitors are listed in the dropdown menu. 
 4. View the monitor's basic information. To view comprehensive details, select **View monitor page** to open the Alerting plugin page.
 5. Select **Associate monitor**. An existing monitor is associated with the visualization.
 
-## Exploring alerting monitor details
+##  Configuring alerts through OpenSearch Dashboards
 
-Once you've created or associated alerting monitors, verify that the monitor is generating alerts and explore alert details by following these steps:
+To configure alerts, follow these steps:
 
-1. Open the alerting dashboard. Alerts are indicated on the visualization with a triangle icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/}). 
-2. Hover over the triangle icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/}) to view high-level data, such as number of alerts. To investigate alert details, select the triangle icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/}) to open a flyout with more detailed monitor information. Alternatively, select the ellipsis icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/}) in the visualization panel and choose **View events**.
-3. Select the ellipsis icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/}), then **Alerting** > **Associated monitors**.
+1. Open the alerting dashboard. Alerts are indicated on the visualization with a {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/} icon. 
+2. Hover over the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/} icon to view high-level data, such as number of alerts. To investigate alert details, select the triangle icon {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/triangle-icon.png" class="inline-icon" alt="triangle icon"/>{:/} to open a flyout with more detailed monitor information. Alternatively, select the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/} icon in the visualization panel and choose **View events**.
+3. Select the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/ellipsis-icon.png" class="inline-icon" alt="ellipsis icon"/>{:/} icon, then **Alerting** > **Associated monitors**.
 4. Choose an alerting monitor from the list. Information such as history, alerts, and associated visualizations is shown within the visualization panel.
 5. Unlink or edit a monitor. 
-   1. Unlink a monitor from the visualization by selecting the link icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/link-icon.png" class="inline-icon" alt="link icon"/>{:/}) under **Actions**. This only unlinks the monitor from the visualization; it does not delete the monitor.
-   2. Edit the monitor's metrics by selecting the edit icon ({::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/edit-icon.png" class="inline-icon" alt="edit icon"/>{:/}).
+   1. Unlink a monitor from the visualization by selecting the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/link-icon.png" class="inline-icon" alt="link icon"/>{:/} icon under **Actions**. This only unlinks the monitor from the visualization; it does not delete the monitor.
+   2. Edit the monitor's metrics by selecting the {::nomarkdown}<img src="{{site.url}}{{site.baseurl}}/images/dashboards/edit-icon.png" class="inline-icon" alt="edit icon"/>{:/} icon.
+
+## Building alerting quieries
+
+<SME: Please provide an example query that can be input using OpenSearch Dashboards. What are the steps the user will follow?>
+
+## Viewing events
+
+
 
 ## Next steps
 
-- [Learn more about the Dashboard application](https://opensearch.org/docs/latest/dashboards/dashboard/index/).
-- [Learn more about alerting](https://opensearch.org/docs/latest/observing-your-data/alerting/index/).
+- Learn about monitor types in [Monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/monitors/).
+- Learn about the basics of alerting in OpenSearch Dashboards in [Alerting]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/index/).
+- Learn about setting up and using [Triggers]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/triggers/).
+- Learn about setting up and using [Actions]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/actions/).
+- Learn about [Notifications]({{site.url}}{{site.baseurl}}/observing-your-data/notifications/index/).
+- See the blog about [Overlaying anomalies and alerts on OpenSearch Dashboards visualizations](https://opensearch.org/blog/alert-anomaly-visual/).

_observing-your-data/alerting/index.md

@@ -10,11 +10,9 @@
 
 # Alerting
 
-To create an alert, do the following: 
+Alerting in OpenSearch enables proactive monitoring and timely response to potential issues or anomalies within your data and applications. Whether you're building and maintaining applications or ensuring the smooth operation of systems, alerting has a crucial role in maintaining system health and minimizing downtime.
 
-- Configure a _monitor_, which is a job that runs on a defined schedule and queries OpenSearch indexes. Required.
-- Configure one or more _triggers_, which define the conditions that generate events. Optional.
-- Configure _actions_, which is what happens after an alert is triggered. Optional.
+In OpenSearch, you can configure alerts by creating monitors that run on a defined schedule and query indexes. You define triggers that specify conditions for generating alert events, such as thresholds on a specific field. You can also configure actions for the alerts, such as sending notifications through email, Slack, or custom webhooks. OpenSearch Dashboards brings alerting and monitoring directly into the dashboard experience, allowing you to overlay alerts and anomalies visually on time-series charts for enhanced insights.
 
 ## Key terms
 
@@ -23,34 +21,35 @@
 Term | Definition
 :--- | :---
 Monitor | Job that runs on a defined schedule and queries OpenSearch indexes. The results of these queries are then used as input for one or more triggers.
-Trigger | Conditions that, if met, generate alerts. See [Triggers]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/triggers/).
+Trigger | Conditions that, if met, generate alerts.
 Alert | Event associated with a trigger. When an alert is created, the trigger performs actions, including sending notifications.
-Action | Specific task that is performed when an alert is triggered. See [Actions]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/actions/).
-Notification | Message that is sent to users when an alert is triggered. See [Notifications]({{site.url}}{{site.baseurl}}/notifications-plugin/index/).
+Action | Specific task that is performed when an alert is triggered.
+Notification | Message that is sent to users when an alert is triggered.
 
-## Alert states
+## Alerting settings
+
+Some key alerting settings in OpenSearch include the ability to customize trigger conditions, severity levels, notification channels, and recurrence intervals for monitors. You can modify settings like notification message templates, throttling to avoid duplicate alerts, and status expiration periods. 
+
+<SME: Do we have specific settings to include in this section? If so, please provide the setting name, description, and default setting.>
+
+## Alerting states
 
 The following table lists the alert states. 
 
 State | Description
 :--- | :---
-Active | The alert is ongoing and unacknowledged. Alerts remain in this state until you acknowledge them, delete the trigger associated with the alert, or delete the monitor entirely. Alerts also can be moved out of the active state if the trigger condition is no longer met. For example, if an index has 4,000 documents and a trigger condition is `numOfDocs > 5000`, an active alert is generated when 3,000 documents are added to the index. If the added 3,000 documents are then deleted from the index, the alert changes to the completed state because the condition is no longer triggered.
-Acknowledged | The alert is acknowledged but the root cause is not fixed.
-Completed | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to `false`.
-Error | An error occurred while executing the trigger---usually the result of a bad trigger or destination.
+`active` | The alert is ongoing and unacknowledged. Alerts remain in this state until you acknowledge them, delete the trigger associated with the alert, or delete the monitor entirely. Alerts also can be moved out of the active state if the trigger condition is no longer met. For example, if an index has 4,000 documents and a trigger condition is `numOfDocs > 5000`, an active alert is generated when 3,000 documents are added to the index. If the added 3,000 documents are then deleted from the index, the alert changes to the completed state because the condition is no longer triggered.
+`acknowledged` | The alert is acknowledged but the root cause is not fixed.
+`completed` | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to `false`.
+`error` | An error occurred while executing the trigger---usually the result of a bad trigger or destination.
 Deleted | The monitor or trigger associated with this alert was deleted while the alert was ongoing.
 
-## Creating an alert monitor
-
-You can follow these basic steps to create an alert monitor:
+## Next steps
 
-1. In the **OpenSearch Plugins** main menu, choose **Alerting**.
-1. Choose **Create monitor**. See [Monitors]({{site.url}}{{site.baseurl}}/observing-your-data/notifications/index/) for more information about the monitor types.
-1. Enter the **Monitor details**, including monitor type, method, and schedule.  
-1. Select a data source from the dropdown list.
-1. Define the metrics in the Query section.
-1. Add a trigger. See [Triggers]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/triggers/) for more information about triggers.
-1. Add an action. See [Actions]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/actions/) for more information about actions. 
-1. Select **Create**.
+Learn more about the following features:
 
-Learn more about creating specific monitor types in their respective documentation.
+- [Monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/monitors/)
+- [Triggers]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/triggers/)
+- [Actions]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/actions/)
+- [Notifications]({{site.url}}{{site.baseurl}}/notifications-plugin/index/)
+- [Alerting dashboards and visualizations]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/dashboards-alerting/)