Hey there, I'm new to the Elastic stack and trying to build a POC in my lab. I've got the foundation created of being 3 Elastic nodes (1 master and 2 ingest) and a Kibana node. I've installed filebeat, metricbeat, and packetbeat on a test webserver VM. I've set the beat yml files to send all logs to the elastic ingest nodes.
When I try to generate the dashboards in Kibana, they create successfully but when I look at it in Kibana I get a lot of blank data when I know the logs have data in them.
Hmm - I suspect the underlying id's are wrong. Which version of beats and kibana are you running, it's possible the generated dashboards are a little out of date? Can we verify _cat/indices to make sure the data is there?
Hi @jbudz, thanks for your reply. I'm using the current version, 7.3, everywhere and as a fresh install. Everything was pulled via apt on Ubuntu 18.04 VMs.
Here's the info you've requested:
green open packetbeat-7.3.0-2019.08.05-000001 fOH9MVRtQ6SC_p0nkgQDHg 1 1 172075 0 130.7mb 65.2mb
green open .kibana_task_manager aReU1ej3QviCZwOFxMajjQ 1 1 2 0 27.4kb 13.7kb
green open .monitoring-kibana-7-2019.08.05 bmTo4q73R-6s77a9BtVrvQ 1 1 1777 0 3.3mb 1.6mb
green open filebeat-7.3.0 Nju0IT4PSPCkrdFINf6Lwg 1 1 10992 0 30.1mb 14.9mb
green open .monitoring-kibana-7-2019.08.04 2BD-2ckTS1Gw9kSI3ieVVQ 1 1 1666 0 1.2mb 675.6kb
green open .monitoring-es-7-2019.08.05 WPcmhje_Sea3O4dtYP-1DQ 1 1 37951 7444 155.1mb 87.3mb
green open .monitoring-es-7-2019.08.04 g4N2jH_SRAe7mIrD7pnb4g 1 1 27181 32528 36mb 21mb
green open winlogbeat-7.3.0-2019.08.05-000001 UeYiemoIR3WyCjWzx70F1Q 1 1 18174 0 39.4mb 19.6mb
green open metricbeat-7.3.0 b8TrWAT6Sme1vxzQn8WQhg 1 1 17008 0 247.1mb 124.7mb
green open .kibana_1 7T1BR9uqRlWYNg2V0rJCew 1 1 1826 3 2mb 1mb
I generated the dashboards from the host that filebeat, metricbeat, and packetbeat was installed on with their respective commands like "sudo metricbeat setup --dashboards". When I then go into Kibana and look at various new dashboards that are created, almost all of them have no data or show errors, like this:
There is more to setup than just the dashboards, like index templates, index patterns etc... without a flag all the setup configurations will be loaded.
when you run
sudo metricbeat setup --dashboards
I believe it just sets up the dashboard and not the other configuration
Edit: Ohh and now that you probably loaded data without the proper templates I would clean up any existing indexes because the mappings may be wrong and clean up any index patterns you may have created.
Thanks @stephenb for this suggestion. Would it be best for me to do this in a specific order?
Shutdown the various beats services
delete indexes in kibana
delete index patterns
run "sudo metricbeat setup"
run "sudo metricbeat setup --dashboards"
start beat services
create new indexes
profit?
This being a lab environment, I don't care about data retention on the Elastic cluster and those logs are still on the few VMs that are sending beats logs anyway.
Is there a different way to go about cleaning up the indexes?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
