Creating dashboards for custom pattern from filebeat not working?

Karel_Cech · October 28, 2020, 8:33pm

Hi,

I am unable to use a not-default index naming for filebeat. According to the documentation, I have these settings in my filebeat.yml:

setup.template.name: "customname"
setup.template.pattern: "customname-*"
setup.dashboards.index: "customname-*"

I executed following command to create FB dashboards:

filebeat setup --dashboards

And as expected, an index pattern called customname-* as well as bunch of visualizations, dashboards and searches were created. At this point there was no index called customname-* yet.

I have put 1 test document that complies the ECS schema to the index "customname-2020.10.28" and I can see the document correctly indexed in the Discover timeline.

Now, I'd like to see the document also in the dashboard. I'm particulary interested in the PANW module dashboards, but just any dashboard gives me this error: No matching indices found: No indices match pattern "apm-*"

These new dashbords should look for customname-* and not apm-*. What's wrong?

Thanks

ChrsMark · October 29, 2020, 11:31am

Hi!

Pre built dashboards are coupled with the defaults index patterns. If you want to make them work with you custom one you can modify them beforehand, editing kibana/.../mydash.json so as to replace the references to the custom patterns with the one that you are defining.

C.

Karel_Cech · October 29, 2020, 2:39pm

Hi Chris, thanks.

Then, as far as I understand this part of the documentation, it's incorrect?

setup.dashboards.index
The Elasticsearch index name. This setting overwrites the index name defined in the dashboards and index pattern. Example: "testbeat-*"

BR

ChrsMark · October 30, 2020, 9:11am

Hmm,

you are correct, I missed this option and my answer was wrong sorry for this!
I tried the option and loaded some dashboards and then I go and export the loaded dashboard from Stack Management/Saved objects page to check the content. I see that the index_patternis replaced with the custom one. Could you check your uploaded dashboards like this please? Also what version of filebeat are you using?

Karel_Cech · November 2, 2020, 2:31pm

Hi Chris,

That's strange. My export of a dashboard does not contain any changed pattern - still filebeat-*. I dont understand why the dashboard seeks apm-* though. I guess more than one indices are involved in some dashboards like PANW?

I made a pastebin of the export of the dashboard "Filebeat [PANW] Network Flows ECS". You can see that it keeps referring to filebeat-*.

I use v7.8.0 in all modules, including Filebeat. I saw same result in other environment where FB is v7.9.0

Could you please share how did you create your dashboards? Do they work?
My command was simply filebeat setup --dashboards.

Thanks

ChrsMark · November 3, 2020, 10:07am

Hi!

I just tried to load the pre built dashboards and seem to work, .

Not sure what exactly causes the issue with this spesific dashboard but t could be that the specific dashboard is a corner case that cannot be handled by the replacement script properly.

I would suggest opening a Github issue to report this since apparently the replacement option does not work for your case.

system · December 1, 2020, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.