Recently we had an issue with an app. This app is deployed on a server with filebeat and packetbeat configured. This means that the error log of this app is shipped to an index and packetbeat to another.
I wanted to create a dashboard that would let me see the errors and traffic generated by this problematic app. The problem that I see with a dashboard with visualization from different indices is that I cant apply filters without breaking half of my data.
Say that I want to filter only HTTP packetbeat data; I would click the field showing packetbeat data and that would work, but! would show no docs from the filebeat index (since no protocol or port field would exist)
I don't think that the filebeat should contain traffic related fields, and.. viceversa.
Any idea of which could be the right approach for this issue...?