Combining metricbeat and winlogbeat


(Varun) #1

Is it possible to save winlogbeat output and metricbeat output to same index in elasticsearch ?

if yes, what do i need to do for that ?


(ruflin) #2

Yes, you can do that by defining the same index in the Elasticsearch output for both Beats. But I would strongly recommend against it as the two could have conflicting data fields.

Can you share a bit more what you are trying to do? If it's just querying the data together, you can do that without having them in the same index.


(Varun) #3

i want to monitor beat output using elasticsearch and java api. for that i want to simplify the querying. for that thinking to combine to single index. So no need to create multiple query for each index


(ruflin) #4

You can run a single query against multiple indices. So there should be no need to combine both.


(Varun) #5

i didnt know that how can i do that ?

how to get all data from 2 indices together ?

for 1 query it's like below. i know that
GET metricbeat/_search
{
"query": {
"match_all": {}
}
}


(ruflin) #6

Try

GET *beat/_search
{
"query": {
"match_all": {}
}
}

(Varun) #7

i tried
post *beat/_search
{ "size":9999,"query" :
{ "bool": { "must": [ { "range": { "@timestamp": { "gte": "05-11-2018 08-09", "lte": "05-11-2018 08-09", "format": "MM-dd-yyyy HH-mm" } }} ] }}
}}

but i get only metricbeat index data. i didn't get winlogbeat data


(ruflin) #8

Can you past the list of indices here running cat: https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-indices.html ?

Can you try to run the above query without the range part but just match all and see if you get results?


(Varun) #9

yellow open winlogbeat sYKj8XUfTCSbOy1auHcojQ 5 1 33788 0 32.5mb 32.5mb
green open .kibana bs2HrAO8Q3WBSI3KtoE4sw 1 0 3 0 38.5kb 38.5kb
yellow open metricbeat 2E9LxwXvSmixetmtb3tbOA 5 1 1395669 0 620.2mb 620.2mb

it's my cat indices result.

i checked without range, buy calling get all record. still i didn't get data from winlogbeat


(ruflin) #10

This is strange. Can you share a result output? Did you check all results or only the first top x?


(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.