Custom index name for auditbeat

Hi everyone,

I'm setting up a custom index name for auditbeat.
This part has worked so far, but if I want to load the default kibana dashboards from auditbeat, I keep getting the error: "Could not locate that index-pattern"
I configured like this:
setup.ilm.enabled: false

output.elasticsearch.index: "auditbeat-customname-%{[agent.version]}-%{+yyyy.MM.dd}"
setup.template.name: "auditbeat-customname"
setup.template.pattern: "auditbeat-customname-"
setup.dashboards.index: "auditbeat-customname-"

How do I need to configure kibana to load data from the dashboards?
I think I've searched about everywhere and still can't seem to find a solution...

Try using a wildcard in the pattern:

setup.template.pattern: "auditbeat-customname-*"

Looking more closely, I think maybe your asterisk got swallowed in your post because you didn't format the code example as code.

I've run into your situation a few times (where the index pattern does not get created). It's hard to reproduce. I was able to create the index pattern manually in Kibana, and that seemed to work. See the Kibana docs: https://www.elastic.co/guide/en/kibana/current/index-patterns.html

Update: I was able to reproduce your problem, and the fix I suggested here didn't work. I think this might be a bug. Let me follow up with the development team to verify.

OK, here's the skinny:

There was a bug in this feature, but it should be fixed in the next release (7.7): https://github.com/elastic/beats/pull/17749

I confirmed that you can work around the problem by creating the index pattern (auditbeat-customname-*) manually in Kibana. Just make sure you also set the custom index pattern id under advanced:

image1167×559 50.7 KB

Thanks! Creating the index manually fixed it for me. Worth updating to 7.7 when this releases?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.