I am looking to utilize tags from my fleet to create metric alarms. In fleet, I have applied tags. In Fleet management, I am able to use KQL such as tags:"AATEST" to filter the fleet agents. I want to use this same filter for alerting. I have tried applying this same KQL to the filter section of an alarm but the alarm never triggers. I attempted to identify if the scope of the fleet tags but was not successful. I also reviewed fleet.agents.* for tag type but couldn't identify any. The end goal is to create a metric alarm that trigger for only agents that have a specific tag. I curious if this functionality exists. Thanks
The tags you add in the Fleet UI are only applied to the agents, allowing you to filter agentes in the fleet ui.
These tags will not be applied to the events collected by the agents.
To add tags to the events collected by the agents you would need to edit each integration in the policy and add them, but this will apply to all agents that are part of the same policy.
Thank you @leandrojmp and @stephenb for your replies. I was hopeful I was missing something simple. The explanation provided makes sense. I was hoping to add tags at the fleet level and adjust alerting based on the tags. Example, high CPU utilization is not a critical issue in UAT but is critical production. Again, thank you for taking the time to explain and respond.
Are you using the same agent policy for UAT and Production environments?
I would recommend using different agent policies for each envinronment, then in the UAT integrations you could add a tag, like uat and use this tag in your filters.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
