A customer heavily relies on index prefixes for all the integrations with Elasticsearch because their cluster is shared across multiple different OpenNMS environments.
When this is the case, the template matching is incorrect, leading to something like this:
All the Elasticsearch features in OpenNMS were configured with this:
This confuses the system, and the actual indexes could end up with the wrong template.
The following is the only evidence found in the customer environment proving that the events forwarder is not working:
The karaf.log* files are full of messages like this, as the environment in question processes on average over 300 events per second.
From the initial list, only the alarms are properly defined. Although, depending on race conditions, the alarms template could end up with the events template and vice-versa, meaning all of them must be fixed.
Here is what I would expect to see on a healthy system using a prefix: