Beginner - metricbeat system dashboard with basic logstash output set

Elastic Stack Beats
,
1

Hi everyone,

I'm using ELK 7.5.2 with basic metricbeat modules (system, docker) I managed to load the Kibana dashboard to Kibana correctly. But now I'm making the logs pass through logstash (without any filter) and the dashboards are now empty (despite the fact that the log are visible in the discover tab under logstash-* pattern)

I foudn this in the documentation Set up dashboards for Logstash output and I tried to do it but the dashboard are still not filling with data.

What am I missing ?

Thanks

2

I think you need to share more details on the forum. Do you see any particular errors?

BTW You don't need to involve logstash in the middle while just playing with stuff around.

3

Thanks for the reply, I want to learn how to use logstash aswell that's why i'm trying to set it up.

There is no error on metricbeat log nor logstash log.

Here are complementary informations about my environment :

  • Everything run on a CentOS 7 machine on AWS.
  • Everything is inside Docker container (docker version is 19.03.12)
  • ELK and metricbeat are deployed in 7.5.2 version

Here is the beginning of the .yml file for metricbeat :

    setup.kibana.host: kibana:5601
     
    # setup.dashboards.enabled: true
  
    output.logstash.hosts: ["logstash:5044"]
    ... module declarations

And here is the logstash conf file used :

input {
    beats {
        port => "5044"
    }
}
# filter {
#
# }
output {
    elasticsearch {
        hosts => [ "elasticsearch:9200" ]
    }
}

The # setup.dashboards.enabled: true line is commented because I manuaylly loaded the dashboard from metricbeat container using the following command :

filebeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['elasticsearch:9200'] \
  -E setup.kibana.host=kibana:5601

as specified here

Logstash is ingesting the logs correctly but the dashboard stays empty

image
image3603×1262 224 KB

While those very same dashboard where correctly display data when logstach wasn't involved.

Maybe be reformulating the question would help :

Is there a specific manipulation to perform to make the metricbeat dashboard work when its logstash that send logs to elasticsearch ?

4

If you consider that logstash consumes data correctly and doesn't pass them to the Elasticsearch, it might be a logstash issue. Did you try to set up the flow without logstash in the middle? Did it work for you? You might need to validate creation of index templates.

5

Logstash does send the data to Elasticsearch correctly

I let it run over night and data keep flowing correctly, the same way it was without logstash :

image
image1193×67 5.44 KB

Here is the last piece of data I've got from logstash :
image
image1508×138 37.2 KB

And I just changed the output of metricbeat to elastic search and restarted it :

# output.logstash.hosts: ["logstash:5044"]
output.elasticsearch.hosts: ["elasticsearch:9200"]

And the dashboard is working instantly :

image
image1857×592 90.6 KB

6

Ok I found the reason, it's because the dashboard is set to 'listen' on the metricbeat-* index pattern, but that's not obvious and I can't find a way to make every dashboard object to change which index pattern there 'listening' to.

I guess there is a way to setup the dashboards directly with the index pattern set to logstash-*. I need to find how.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.