I'm using Filebeat CEF module to ingest firewall logs. I'm playing around with visualizations, and none of the built-in visualizations seem to show any data. For instance, the "Top 10 Devices by Bandwidth [Filebeat CEF]" doesn't show anything. I made sure my data had the 5 or so fields used by this visualization. One thing I noticed is that in the built-in visualizations, I can't select the data view like I can when building my own visualization. Perhaps that has something to do with it?
Since you are using a module did you run
filebeat setup -e
before you started filebeat, otherwise the data will not be parsed correction
Also What version are you on?
Also what steps / how did you install filebeat, how are you running filebeat?
The information you provided is not enough to help.
I apologize - I missed some key information. I can see my data in the Discover pane, and I can even make my own visualization and see my data there. It's just the visualizations in the Visualize Library that I'm having trouble with.
Understood...
The Module OOTB visualizations require the proper setup otherwise they we will not work.
The data may be there but it may not be with the proper scheme / parsing etc.
10-4, thanks for confirming. I tried recreating a visualization from scratch to mirror a built-in one, and it worked fine.
Glad you got it working....
Question are you seeing fields named like
thefield.keyword
If so that means that setup was not run and the schema being used is not the correct schema, which will work but is not optimal.
Hmm... I see cef fields like cef.extensions.ad.policyid. Is that what you mean?
do you see cef.extensions.ad.policyid.keyword ?
If not then you are probably fine
Nope! Thank you for the prompt.