These are both targeted by a Data View : filebeat-*
Using this data view in Discover, I can see all the events from both indices, however when using the Filebeat System dashboards, I can only see events from the filebeat-8.4.0 index.
I was under the impression that the dashboard would use the data view.
How can I check what the dashboard/visualisation is targetting?
How can I can add another index to the dashboard? (Is that even possible?)
If I change a data view to include more indices, do I need to do anything else to get the dashboard to refresh?
You can explore dependencies between Kibana saved objects in the dedicated page in the management application. Given a dashboard it can point directly to data views or to visualizations. Filbeats dashboards pint to visualizations, so you can check for those relationships. I've just tested in 8.4.3 and they point to the only created data view filebeat-* as you mentioned.
The data view should pick up all the indices given the name pattern. If it's not picking the data from your additional index I'd suggest you start checking the visualizations and the query they perform from the Inspect tool on the top right of Kibana to see why they are not getting the results you expect. Is the schema in your new index conforming to ECS as the default filebeat indices?
I did follow your advice, which proved to very useful. It didn't solve the issue, but it allowed me to see what the dashboards where actually looking for.
FYI, the custom index was ingesting Panorama (PANW) events, but the ingest pipeline was failing some of the required fields.
It's been a useful exercise, so thanks for your help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
