Hello,
We're running an elastic stack consisting of Winlogbeat (7.16.1), Logstash (7.17.2), Elastic (7.17.2) and Kibana (7.17.2) nodes.
We tried using the Timeline feature and analyzing events, but it prompts an error ("Error loading data") and the process tree shows "unkown" on all 3 fields.
We aren't using the default winlogbeat-* index, but our custom index does have the process.entity.id and process.parent.entity.id fields containing the relevant data. We also have the agent.type field containing "winlogbeat" and the event.module filed containing "sysmon".
We also tried to change the data source in the Timeline to our own index.
Is there a way to fix this?
We appreciate any help we'd get 