When adding tags to ICMP monitors they do not show up as drop down fields on the top right. This can be duplicated by uncommenting the tags in the ICMP example and change the IP. Changing the monitor to TCP with the same tags works perfect. This is not a very elegant solution. They are also not searchable.
For example we want a single ping to see if a switch is online nothing fancy. We have over 500 of them active at a single site. With each "Cisco switch" sending it's basics logs to same elastic cluster as the uptime is running in. Yes it should be separate no we wont split it. Cost and resources allocation along with management overhead isn't worth the time. No we can not and will not used a hosted version. Switching to TCP on each one now opens a connection which is then logged in the switch and sent to syslog. This has gone from a couple hundred events an hour to 170,000 hour making the syslog next to unusable when searching for a username on who logged in. You end up with " " for SSH.
I'm able to duplicate the missing tags in ICMP monitors in 4 different clusters. Something as simple as tags: [switch] fails. Setting under fields_under_root has no effect either but works for TCP/HTTP monitors.
Am I missing something specific to ICMP or has it not been implemented yet?
Uptime makes the boss man happy. Making him remember to type a search command when a drop down box is present makes him go why do we use this... Drop down boxes are your friend on a simple dashboard.
Curious where you are checking for the tags... In the uptime App? can you check in Discover and see if the tags are there or missing in the actual documents.
Checking the heartbeat index in discover the tags do not show up on any of the ICMP based monitors. Fields do not show up either.
I did have the default tags from the uptime host "Elastic, Server" being presented which were set in the heartbeat.yml config but not on the monitor. Server was added by me as a test when I was setting up the initial heartbeat a few months ago. I removed the tags and restarted heartbeat to see if maybe that was conflicting. No change to the index from the ICMP monitors.
Changing the same monitor to TCP updates the tags correctly. Set back to ICMP tags are removed.
Setup currently is 1 ingest node with Kibana running on it. 4 data nodes 2 hot and 2 warm nodes. We only need to keep 90 days of data anything extra is a bonus.
With how the setup has grown since the start the setup isn't ideal and I'll fix that shortly. I honestly did not expect to like Elastic as much as I do. Haven't been this excited to look at data in ages.
Only thing I could think of was maybe I had the output going to a different pipeline. Checked and it's going directly into Elastic no modifications before.
It's strange that if I copy the same monitor file to my dev cluster which is all in one I don't get the tags either and they were built on different versions at the start.
I'll load heartbeat on a fresh box and see what happens. Been needing to do that as it's expanding more and more every day... I'll update the post if I can finish up before this thread closes on me. It's on the list of many things followed by many more things to do.
In ICMP monitors if the tags start with upper case they were not being displayed. Changed existing ICMP monitors to lower case and the showed up. For TCP and HTTP the monitors are in Upper Case and show up as expected.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.