I executed following command to create FB dashboards:
filebeat setup --dashboards
And as expected, an index pattern called customname-* as well as bunch of visualizations, dashboards and searches were created. At this point there was no index called customname-* yet.
I have put 1 test document that complies the ECS schema to the index "customname-2020.10.28" and I can see the document correctly indexed in the Discover timeline.
Now, I'd like to see the document also in the dashboard. I'm particulary interested in the PANW module dashboards, but just any dashboard gives me this error: No matching indices found: No indices match pattern "apm-*"
These new dashbords should look for customname-* and not apm-*. What's wrong?
Pre built dashboards are coupled with the defaults index patterns. If you want to make them work with you custom one you can modify them beforehand, editing kibana/.../mydash.json so as to replace the references to the custom patterns with the one that you are defining.
setup.dashboards.index
The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: "testbeat-*"
you are correct, I missed this option and my answer was wrong sorry for this!
I tried the option and loaded some dashboards and then I go and export the loaded dashboard from Stack Management/Saved objects page to check the content. I see that the index_patternis replaced with the custom one. Could you check your uploaded dashboards like this please? Also what version of filebeat are you using?
That's strange. My export of a dashboard does not contain any changed pattern - still filebeat-*. I dont understand why the dashboard seeks apm-* though. I guess more than one indices are involved in some dashboards like PANW?
I made a pastebin of the export of the dashboard "Filebeat [PANW] Network Flows ECS". You can see that it keeps referring to filebeat-*.
I use v7.8.0 in all modules, including Filebeat. I saw same result in other environment where FB is v7.9.0
Could you please share how did you create your dashboards? Do they work?
My command was simply filebeat setup --dashboards.
I just tried to load the pre built dashboards and seem to work, .
Not sure what exactly causes the issue with this spesific dashboard but t could be that the specific dashboard is a corner case that cannot be handled by the replacement script properly.
I would suggest opening a Github issue to report this since apparently the replacement option does not work for your case.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
.