Well OK, I just looked into it and looks like the ML jobs are actually there ... you just need to create them with the correct data view... took me 5 mins. There is one hitch there is a slight but important miss-configuration that will need to be corrected i.e. the correct event.dataset ... I will show you how.
I understand there is already a PR to fix this, I don't have it handy
EDIT 8.8.0 should already be fixed,
8.7.1 still has this error
1st I am doing this with Elastic Agent Network Capture -> Elasticsearch
(No logstash in the middle although that should work according to the documentation)
Assumes agent is sending data
Go To ML - Jobs - Create Job
Select the Correct Data View logs-network_traffic
When you do that it will recognize it and then Select The Correct Job Group a little confusing because it says packetbeat (that should get cleaned up)
Select it
And you will get this screen and select Create Jobs
You need to go in and make one edit...
Edit the Data Feed (the even.dataset is wrong
{
"bool": {
"filter": [
{
"term": {
"event.dataset": "network_traffic.dns" <!---- THIS
}
},
Save and then Test the Data Feed ...
Should look something like this..
And Whalluh you have the correct jobs pulling from the correct data view, You can just start it
You can start it when you are ready.... Probably need to do the same with the others the event.dataset
will be incorrect