As Fleet became generally available earlier in the year, the Fleet development team and I wanted to share a few tips and tricks for getting the most out of using the Fleet app in Kibana.
If you aren't familiar with Fleet and the Elastic Agent I recommend checking out the documentation here. Fleet is a Kibana app that lets you centrally manage an entire fleet of Elastic Agents at scale, giving you a real-time view into agent status, remotely upgrade agents, execute queries on each host, and contain security threats.
Quick note: All of these tips were gathered on Kibana version 7.16.
1. Easily keep your agent policies up to date
Firstly I wanted to draw attention to a really useful feature introduced in Kibana 7.16. As new versions of integrations are released, it is now really simple to keep the integrations in your agent policies up to date.
Checking the "Upgrade agent policies" checkbox when upgrading an integration will upgrade the package in all of your agent policies, rolling the change out to your agents.
If you uncheck this box then you can still roll out the upgraded integration to your agent policies manually as before.
2. Use the assets tab to quickly access integration assets
When an integration is installed, often they come bundled with useful Kibana assets such as dashboards for getting the most out of the data an integration produces. After installing an integration, head to the assets tab to see the assets that have been installed with an integration.
The assets tab is broken down by asset type, and you can follow links for each asset to view it.
3. Use the data streams view to see integration data
Integrations use data streams to store their data. To get to know the data streams that are available for a given integration you can use the data streams view in Fleet.
The data streams view allows you to filter streams by namespace (more on these in the next tip), integration, type or dataset. You can see the last time the stream received data and the size of the data stream.
4. Use namespaces to group integration data
A namespace is a user configured arbitrary grouping of data. Namespaces can be used to split your integration data any way you want, a popular use case we see is having separate namespaces for different environments (e.g dev, staging and prod) but you can have any namespaces you like.
Namespace forms the final part of the data stream naming scheme (check out Nicolas's blog post here for a great intro) this means that you can easily search over a single namespace e.g GET /metrics-system.cpu-production/_search or all namespaces e.g GET /metrics-system.cpu-*/_search.
You can specify a namespace when adding an integration to an agent policy:
Bonus tip: Specify a default namespace for an agent policy.
To save you from specifying the namespace each time you add an integration, you can set a default namespace for the agent policy on creation (or in the policy settings menu):
5. Use @custom component templates to specify index settings
This slightly more advanced tip is really useful. The index templates created by Fleet are composed of component templates. One of these component templates is the @custom component template, which is provided to allow users to specify custom index settings. Here I can see the metrics-system.cpu index template has metrics-system.cpu@custom component template:
The @custom component template is guaranteed to preserve your changes on integration (or Kibana) upgrade. You could use this component template to add a runtime field, or specify an index setting such as an ILM policy and the settings you specify will be applied across all namespaces.