Hello.
First, I am brand new to Easticsearch, Kibana, logstash. I am working with it for a few days now and now I have to following problem.
Please feel free to point out my mistakes and guide me in the right direction to accomplish my goals.
I added multiple data sources (database tables) with different data formats from my two SQL - servers into one index pattern.
One is a production-style table, where user behavior is stored.
The second one is an error table where error messages and events are stored.
Finally there is a table were additional log data is stored.
All three table have a different table structure.
Now, I imported all the data (6.5 million docs) with logstash into elasticsearch. If I run /cat/indices I can see the it.
I indexed them mfa_XXX, mfa_YYY and mfa_ZZZ.
The index pattern I used in kibana was "mfa*". I created it after the first import, to check if everything was ok, and I saw my data. Then after the last (ZZZ) import I updated the index to see all the fields. All the field in the index pattern list are there.
Now my problem:
I imported mfa_xxx, first, then YYY and this afternoon ZZZ.
Now I can't access the data from XXX and YYY not longer, Discover only shows the ZZZ data. If I try to visualize all the other data, it just says "not available". If I search for it, it isnt there anymore.
The pattern fields are still there, but grayed out.
What happened? What did I do wrong?
How to fix this, to be able to analyze all the data together, what my job is.
I am using:
elasticsearch 5.5.1
logstash 5.5.1
Kibana 5.5.1
all on windows 7