Filter based on fleet tag

I am looking to utilize tags from my fleet to create metric alarms. In fleet, I have applied tags. In Fleet management, I am able to use KQL such as tags:"AATEST" to filter the fleet agents. I want to use this same filter for alerting. I have tried applying this same KQL to the filter section of an alarm but the alarm never triggers. I attempted to identify if the scope of the fleet tags but was not successful. I also reviewed fleet.agents.* for tag type but couldn't identify any. The end goal is to create a metric alarm that trigger for only agents that have a specific tag. I curious if this functionality exists. Thanks

Version: 8.12.1

Hi @absbs Welcome to the community.

You are going to need to show us exactly what kind of rule you are trying to configure an exactly what you configured. For Example

Metric Threshold has a KQL Filter Bar(Note this is 8.14 but pretty sure that in in 6.12 as well)


Make sure you go to Discover and Try the KQL Filter First to see if it works...

The tags you add in the Fleet UI are only applied to the agents, allowing you to filter agentes in the fleet ui.

These tags will not be applied to the events collected by the agents.

To add tags to the events collected by the agents you would need to edit each integration in the policy and add them, but this will apply to all agents that are part of the same policy.

1 Like

Ahhh I did not read close enough.. @leandrojmp is exactly right... You need to add fields to each integration

One thing coming very soon is the ability to add fields at the policy level instead of each integration.

This is a highly requested feature.

Thank you @leandrojmp and @stephenb for your replies. I was hopeful I was missing something simple. The explanation provided makes sense. I was hoping to add tags at the fleet level and adjust alerting based on the tags. Example, high CPU utilization is not a critical issue in UAT but is critical production. Again, thank you for taking the time to explain and respond.

Are you using the same agent policy for UAT and Production environments?

I would recommend using different agent policies for each envinronment, then in the UAT integrations you could add a tag, like uat and use this tag in your filters.

1 Like