Skip to content
Orwell

push

Detects which alerts changed between your branch and main, then deploys only those to Elasticsearch.

Usage

Terminal window
orwell push [options]

Options

FlagAliasDefaultDescription
--endpoint <url>$ELASTIC_ENDPOINTElasticsearch URL
--api-key <key>$ELASTIC_API_KEYAPI key authentication
--username <user>$ELASTIC_USERNAMEBasic auth username
--password <pass>$ELASTIC_PASSWORDBasic auth password
--target <server.env>Filter: only deploy watchers matching this target
--project-id <id>-pPrefix added to all alert IDs
--base-dir <dir>srcRoot folder that contains alert groups
--main-branch <branch>mainBranch to diff against
--diff-branch <branch>-bcurrent branchBranch being compared
--dry-runPrint HTTP requests without deploying

How it works

  1. Runs git diff <main-branch>...<diff-branch> to list changed files.
  2. Finds the alert folder for each changed file.
  3. Filters alerts by --target if provided (see File naming & targeting).
  4. Deploys each matching alert via the Elasticsearch Watcher API (PUT /_watcher/watch/{id}).
  5. If an alert has a Painless script, deploys it first via PUT /_scripts/{id}.

Examples

Dry-run before deploying

Terminal window
orwell push \
  --endpoint https://elastic:9200 \
  --api-key $ELASTIC_API_KEY \
  --target server-a.non-prod \
  --dry-run

Deploy to production

Terminal window
orwell push \
  --endpoint https://elastic-prod:9200 \
  --api-key $ELASTIC_API_KEY \
  --target server-a.prod

With project ID prefix

Terminal window
orwell push \
  --endpoint https://elastic:9200 \
  --api-key $ELASTIC_API_KEY \
  --project-id acme \
  --target server-a.non-prod

Alert IDs become acme-{group}-{name}.

Compare a specific branch

Terminal window
orwell push \
  --endpoint https://elastic:9200 \
  --api-key $ELASTIC_API_KEY \
  --diff-branch feature/new-alerts \
  --main-branch develop
Terminal window
export ELASTIC_ENDPOINT=https://elastic:9200
export ELASTIC_API_KEY=your-key-here


orwell push --target server-a.non-prod

Notes

  • push never deletes watchers. Use sync if you also want to remove deleted alerts.
  • If --target is omitted, all changed alerts are deployed regardless of their filename target.
  • --dry-run is safe to run in CI to validate that alert JSON compiles correctly before merging.