Custom index name for auditbeat

Elastic Stack Beats
1

Hi everyone,

I'm setting up a custom index name for auditbeat.
This part has worked so far, but if I want to load the default kibana dashboards from auditbeat, I keep getting the error: "Could not locate that index-pattern"
I configured like this:
setup.ilm.enabled: false

output.elasticsearch.index: "auditbeat-customname-%{[agent.version]}-%{+yyyy.MM.dd}"
setup.template.name: "auditbeat-customname"
setup.template.pattern: "auditbeat-customname-"
setup.dashboards.index: "auditbeat-customname-"

How do I need to configure kibana to load data from the dashboards?
I think I've searched about everywhere and still can't seem to find a solution...

2

Try using a wildcard in the pattern:

setup.template.pattern: "auditbeat-customname-*"
3

Looking more closely, I think maybe your asterisk got swallowed in your post because you didn't format the code example as code.

I've run into your situation a few times (where the index pattern does not get created). It's hard to reproduce. I was able to create the index pattern manually in Kibana, and that seemed to work. See the Kibana docs: https://www.elastic.co/guide/en/kibana/current/index-patterns.html

4

Update: I was able to reproduce your problem, and the fix I suggested here didn't work. I think this might be a bug. Let me follow up with the development team to verify.

5

OK, here's the skinny:

There was a bug in this feature, but it should be fixed in the next release (7.7): https://github.com/elastic/beats/pull/17749

I confirmed that you can work around the problem by creating the index pattern (auditbeat-customname-*) manually in Kibana. Just make sure you also set the custom index pattern id under advanced:

image
image1167×559 50.7 KB

6

Thanks! Creating the index manually fixed it for me. Worth updating to 7.7 when this releases?