Apply Filter Query to Visualization

philipp_s · April 24, 2019, 9:38am

Hi,

I'm currently facing the problem that I cant filter my Disk used [Metricbeat System] ECS visualization for a specific system.filesystem.device_name. When I Group By Term I can see all devices ->

But now I want to use a filter to only display the /dev/sda1 device. However the filter I implemented is not working at all. I only receive The request for this panel failed even though it works when I run it in the Console.

This is my Filter Query:

{
  "query": {
    "bool": {
      "must": {
        "match": {
          "system.filesystem.device_name.keyword": {
            "query": "/dev/sda1"
          }
        }
      }
    }
  }
}

Regards,

Philipp

exekias · April 24, 2019, 1:19pm

Hi @philipp_s,

From they query you are showing it seems the Metricbeat index template wasn't correctly installed.

Did you get any error when running Metricbeat?
Did you change any default settings on index name, template or index pattern?

Best regards

philipp_s · April 25, 2019, 7:56am

Hi @exekias,

All the other metrics and visualizations actually work fine. This is the elasticsearch output I defined in the metricbeat.conf of the logstash pipeline:

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

exekias · May 6, 2019, 9:29am

Hi @philipp_s,

It sounds like you didn't run metricbeat setup, that should configure the proper index template in Elasticsearch. If you use Logstash as an output, you may need to add the template manually.

philipp_s · May 6, 2019, 2:26pm

Hi @exekias,

I dont understand exactly what you mean. I can see the correct table in the discovery so the index must be correct right?

system · June 3, 2019, 2:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.