Uptime Monitor Status Rule / Alert , Which field is considered to filter?

Hello Experts,

I have configured Heartbeat. To reduce the data , I have used "include fields" processor as below. So, now I get data for below fields and metadata fields (default).

image1812×375 15.2 KB

the issue is , in "Uptime Monitor Status" rule , I tried adding filter with Monitor name , it shows 0 monitors, But data is flowing.

I guess, this rule uses some other field ( other than fields mentioned in include_fields) to filter.

I tried default configuration i.e without "include_fields" processor. This time above filter worked

image783×141 8.91 KB

I want to know which field is used to filter monitors in Uptime Monitor Status rule

We don't recommend removing any fields sent by uptime, but rather using ILM to rotate data more efficiently. We can't guarantee that Uptime will work correctly if fields are dropped.

Hello Andrew,

Thank you for your reply.

After trial and error I found few important fields, those are enough to set an alert. I have tested this and found that Alerts are working as expected.

I will go with this setting for now. This is helping to avoid Shards error (by reducing data)

processors:

• include_fields:
  fields: ["monitor.status", "monitor.name", "monitor.id", "tags", "ip","hosts", "summary.down", "summary.up", "state.up", "state.down","state.status", "state.checks", "beat.hostname","beat.name","monitor.name.text","monitor.id.text","monitor.duration.us","monitor.scheme","monitor.check_group","monitor.timespan", "tls.rtt.handshake.us","tls.server.version_number", "monitor.type"]

I'm glad you found a solution, however I'll reiterate that we don't recommend dropping fields since that can easily break the Uptime app. If you have an excess of data, consider managing the retention of that data instead, by reading our docs on that topic.

This topic was automatically closed 24 days after the last reply. New replies are no longer allowed.