Deleted Winlogbeat, Index patterns not showing in dashboard

(Ralph Lawrence) #1

I deleted Winlogbeat index and re added a new one. When i went to the Dashboard, the dedicated dash board that i had was unable to update to the new winlogbeat. Now I have to delete and start over because i get this notice that>> Could not locate index-pattern #manamement/kibana/index. How would i fix this problem in the feature in the event I updated winlogbeat?

(Andrew Kroh) #2

Are you talking about the indices stored in Elasticsearch or the Kibana index pattern? It should be fine to delete the indices from ES and load more Winlobeat data. The dashboards won't work if there are no winlogbeat-* indices during the interim period where there is no data. Do note that deleting the indices in ES will not cause Winlogbeat to reload all data when restarted; for that you must delete the file created by Winlogbeat that stores the last event sent (C:/ProgramData/winlogbeat/.winlogbeat.yml).

If you delete the winlogbeat-* index pattern from Kibana this could cause problems with any visualizations that are tied to that index-pattern. If you recreate the index pattern later using Kibana this could cause problems if fields that previously existed no longer exist. You can address this by ingesting winlogbeat data with those missing fields so that they are present in the Elasticsearch mapping. Then updating the winlogbeat-* index pattern.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.