Hi @lee9 - Thanks for reporting this. We currently have some open issues with Infrastructure Host Not Reporting alert conditions. There has also been a change to how these conditions work. Previously, a host not reporting condition looked for the presence of an actual agent disconnect event. This is no longer the case. We now watch signals from a faceted NRQL query, and when those signals disappear, violations open as appropriate.
This means a significant change in behavior with regards to tags. A host and its tags now constitute a signal, and a change to the signal can result in an unexpected violation. An example would be, let’s say you have a condition set up to include hosts where the tag
xxx . If you change the condition so that it instead targets hosts where
name is equal to
yyy , the previous signals will disappear, and host not reporting violations will open for the hosts that were previously targeted. To work around this behavior, one could disable the alert condition before updating the tags, allowing it to start fresh without the baggage of prior signals.
There is also an open issue that we are working to address where a host may start up without having collected all of its metadata. If a host is missing a tag on startup, but eventually gains that tag after a period of time, an alert condition with an exclusionary filter on that tag will pick up the host as a signal and subsequently open a violation when the tag is added and the signal is lost.