Cannot see data on Kiabana

Elastic Stack Beats
1

Hello there
Server info:
CentOS Linux release 7.7.1908 (Core)
packetbeat-6.8.3-1.x86_64
kibana-6.8.3-1.x86_64
elasticsearch-6.8.3-1.noarch

I cannot see the data on kibana when performing searches like this: beat.hostname: zebra.zebra.local, I can with another client with same beats version kernel and OS.

What I see on the logs:

|2019-09-26T11:04:01.012-0500|WARN|elasticsearch/client.go:539|Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf5b563c0004125b, ext:69740609722629, loc:(*time.Location)(0x23223e0)}, Meta:common.MapStr(nil), Fields:common.MapStr{"meta":common.MapStr{"cloud":common.MapStr{"region":"us-east-1", "availability_zone":"us-east-1a", "provider":"ec2", "instance_id":"i-036cb01bad4965d63", "machine_type":"m5.xlarge"}}, "transport":"tcp", "dest":common.MapStr{"ip":"10.87.23.212", "port":0x1627, "stats":common.MapStr{"net_packets_total":0x367d, "net_bytes_total":0xf2126}}, "start_time":common.Time{wall:0x1d683b95, ext:63705040902, loc:(*time.Location)(nil)}, "last_time":common.Time{wall:0x2c7cec67, ext:63705110637, loc:(*time.Location)(nil)}, "type":"flow", "host":common.MapStr{"name":"kibana.zebra.lan", "os":common.MapStr{"platform":"centos", "version":"7 (Core)", "family":"redhat", "name":"CentOS Linux", "codename":"Core"}, "id":"f073c429a7456b53ec3e2c53460c5c8f", "containerized":false, "architecture":"x86_64"}, "source":common.MapStr{"ip":"10.87.22.110", "port":0xece8, "stats":common.MapStr{"net_packets_total":0x367d, "net_bytes_total":0x720cdc}}, "flow_id":"EAT/////AP//////CP8AAAEKVxZuClcX1OjsJxY", "final":false, "beat":common.MapStr{"hostname":"kibana.zebra.lan", "version":"6.8.3", "name":"kibana.zebra.lan"}}, Private:interface {}(nil)}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]"}}|
|---|---|---|---|
|2019-09-26T11:04:01.012-0500|WARN|elasticsearch/client.go:539|Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf5b563c0004125b, ext:69740609722629, loc:(*time.Location)(0x23223e0)}, Meta:common.MapStr(nil), Fields:common.MapStr{"dest":common.MapStr{"ip":"10.87.22.110", "port":0x23f0, "stats":common.MapStr{"net_packets_total":0x2ea4, "net_bytes_total":0x4fa7ba}}, "start_time":common.Time{wall:0x1d6b5cc1, ext:63705040902, loc:(*time.Location)(nil)}, "flow_id":"EAT/////AP//////CP8AAAEKVwuPClcWbhSG8CM", "host":common.MapStr{"name":"kibana.zebra.lan", "architecture":"x86_64", "os":common.MapStr{"family":"redhat", "name":"CentOS Linux", "codename":"Core", "platform":"centos", "version":"7 (Core)"}, "id":"f073c429a7456b53ec3e2c53460c5c8f", "containerized":false}, "meta":common.MapStr{"cloud":common.MapStr{"instance_id":"i-036cb01bad4965d63", "machine_type":"m5.xlarge", "region":"us-east-1", "availability_zone":"us-east-1a", "provider":"ec2"}}, "transport":"tcp", "source":common.MapStr{"ip":"10.87.11.143", "port":0x8614, "stats":common.MapStr{"net_packets_total":0x5afd, "net_bytes_total":0xbe17a8}}, "last_time":common.Time{wall:0xed78d29, ext:63705110638, loc:(*time.Location)(nil)}, "type":"flow", "final":false, "beat":common.MapStr{"name":"kibana.zebra.lan", "hostname":"kibana.zebra.lan", "version":"6.8.3"}}, Private:interface {}(nil)}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]"}}|
|2019-09-26T11:04:01.012-0500|WARN|elasticsearch/client.go:539|Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf5b563c0004125b, ext:69740609722629, loc:(*time.Location)(0x23223e0)}, Meta:common.MapStr(nil), Fields:common.MapStr{"source":common.MapStr{"ip":"10.87.29.209", "port":0x87ae, "stats":common.MapStr{"net_packets_total":0x4f2d, "net_bytes_total":0x1e51a54}}, "last_time":common.Time{wall:0xecb8cfe, ext:63705110625, loc:(*time.Location)(nil)}, "type":"flow", "flow_id":"EAT/////AP//////CP8AAAEKVxZuClcd0fAjroc", "meta":common.MapStr{"cloud":common.MapStr{"instance_id":"i-036cb01bad4965d63", "machine_type":"m5.xlarge", "region":"us-east-1", "availability_zone":"us-east-1a", "provider":"ec2"}}, "final":false, "transport":"tcp", "dest":common.MapStr{"ip":"10.87.22.110", "port":0x23f0, "stats":common.MapStr{"net_packets_total":0x29c3, "net_bytes_total":0x3be192}}, "start_time":common.Time{wall:0x1d6d4dcf, ext:63705040902, loc:(*time.Location)(nil)}, "beat":common.MapStr{"version":"6.8.3", "name":"kibana.zebra.lan", "hostname":"kibana.zebra.lan"}, "host":common.MapStr{"name":"kibana.zebra.lan", "architecture":"x86_64", "os":common.MapStr{"version":"7 (Core)", "fmily":"redhat", "name":"CentOS Linux", "codename":"Core", "platform":"centos"}, "id":"f073c429a7456b53ec3e2c53460c5c8f", "containerized":false}}, Private:interface {}(nil)}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [body] has unsupported parameters:  [ignore_above : 1024]"}}|
|2019-09-26T11:04:01.012-0500|WARN|elasticsearch/client.go:539|Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf5b563c0004125b, ext:69740609722629, loc:(*time.Location)(0x23223e0)}, Meta:common.MapStr(nil), Fields:common.MapStr{"source":common.MapStr{"ip":"10.87.45.19", "port":0x9238, "stats":common.MapStr{"net_bytes_total":0x7f5684, "net_packets_total":0x3b40}}, "start_time":common.Time{wall:0x3b4406e0, ext:63705040902, loc:(*time.Location)(nil)}, "type":"flow", "flow_id":"EAT/////AP//////CP8AAAEKVxZuClctE/AjOJI", "final":false, "beat":common.MapStr{"name":"kibana.zebra.lan", "hostname":"kibana.zebra.lan",

Compared to:
2019-09-26T16:33:26Z INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=6 libbeat.es.publish.read_bytes=2203 libbeat.es.publish.write_bytes=21869 libbeat.es.published_and_acked_events=39

Im using default packebeat.yml , no special configuration just ES server IP.

Any hint appreciated
Thanks
Regars

2

hi @Kernel_Panic,

from the error "Mapping definition for [body] has unsupported parameters: [ignore_above : 1024]"}}|" it looks like the packebeat applied templates are pointing to mappings that do not match your index.
You could try overwriting the index templates (https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-template.html) or reloading them.

3

Will try that, thanks..

4

@MarianaD Hi
I added the following to packetbeat.yml and restarted and am seeing the same error, what else can I do? should I restart elasticsearch or kibana service too? this is the server itself, the one hosting ES, Kibana.

setup.template.name: "packetbeat-%{[beat.version]}"
setup.template.enabled: true
setup.template.overwrite: true

The only host that is reporting well has this beat version
packetbeat-5.6.16-1.x86_64

So it seems there is a version conflicts? server has 6.8 and the working client has 5.6, but the server with the same version level is not working? how can I address this?

Thanks for your time and support.

5

@MarianaD hello
Any idea on this? maybe is this a bug?
I installed heartbeat-elastic-6.8.3-1.x86_64 and I cannot see any Uptime information on kibana and am still seeing the same warning on the logs, and on discovery I see no information about the host either but what caught my attention is that with version 5.6 I can see the data, I mean , is being ingested.

heartbeat-elastic-6.8.3-1.x86_64

2019-10-05T12:37:15.978-0500 WARN elasticsearch/client.go:539 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf5e5312ba26f489, ext:31555497918, loc:(*time.Location)(0x200e180)}, Meta:common.MapStr(nil), Fields:common.MapStr{"meta":common.MapStr{"cloud":common.MapStr{"region":"us-east-1", "availability_zone":"us-east-1a", "instance_id":"i-036cb01bad4965d63", "machine_type":"m5.xlarge", "provider":"ec2"}}, "tcp":common.MapStr{"port":0x23f0, "rtt":common.MapStr{"connect":common.MapStr{"us":93}}}, "resolve":common.MapStr{"rtt":common.MapStr{"us":179}, "host":"kibana.zebra.lan", "ip":"10.87.22.110"}, "monitor":common.MapStr{"name":"tcp", "type":"tcp", "host":"kibana.zebra.lan", "ip":"10.87.22.110", "duration":common.MapStr{"us":318}, "status":"up", "scheme":"tcp", "id":"tcp-tcp@kibana.zebra.lan:9200"}, "event":common.MapStr{"dataset":"uptime"}, "beat":common.MapStr{"name":"kibana.zebra.lan", "hostname":"kibana.zebra.lan", "version":"6.8.3"}, "host":common.MapStr{"name":"kibana.zebra.lan", "architecture":"x86_64", "os":common.MapStr{"platform":"centos", "version":"7 (Core)", "family":"redhat", "name":"CentOS Linux", "codename":"Core"}, "id":"f073c429a7456b53ec3e2c53460c5c8f", "containerized":false}}, Private:interface {}(nil)}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [monitor] has unsupported parameters: [properties : {duration={properties={us={type=long}}}, scheme={ignore_above=1024, type=keyword}, ip={type=ip}, name={ignore_above=1024, type=keyword}, host={ignore_above=1024, type=keyword}, id={ignore_above=1024, type=keyword}, type={ignore_above=1024, type=keyword}, status={ignore_above=1024, type=keyword}}]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [monitor] has unsupported parameters: [properties : {duration={properties={us={type=long}}}, scheme={ignore_above=1024, type=keyword}, ip={type=ip}, name={ignore_above=1024, type=keyword}, host={ignore_above=1024, type=keyword}, id={ignore_above=1024, type=keyword}, type={ignore_above=1024, type=keyword}, status={ignore_above=1024, type=keyword}}]"}

Thanks
Regards

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.