Export dashboard to Kibana fail

mcoa · October 5, 2018, 3:04am

Hello,
I'm try export dashboard to Kibana from filebeat but some dashboard give error (field not found). my client i've:

filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    -/var/log/secure
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.dashboards.enabled: true
setup.dashboards.directory: ${path.home}/kibana
setup.dashboards.index: filebeat-*
setup.kibana:
  host: "192.168.0.xxx:5601"
output.logstash:
  hosts: ["192.168.0.xxx:5044"]

And system module:

[root@web01 modules.d]# cat system.yml |grep -v "#"
- module: system
  syslog:
    enabled: true
    var.paths: ["/var/log/messages"]
  auth:
    enabled: true
    var.paths: ["/var/log/secure"]

In the "visualize" the field is empty (the same with other dashboard and visualize from filebeat)

Thanks.

kvch · October 5, 2018, 6:24am

How have you exported the dashboards?

mcoa · October 5, 2018, 12:48pm

Hi,
I'm exported dashboard with command

filebeat setup --dashboards

And the filebeat.yml i've setting the value:

setup.dashboards.enabled: true

Thanks.

kvch · October 5, 2018, 1:34pm

Dashboards need index templates also which are also imported by filebeat setup. You need to run filebeat setup without the flag.

mcoa · October 5, 2018, 1:56pm

I execute the command and change te output to elastic but not found..

[root@web01 filebeat]# filebeat setup
Loaded index template
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded machine learning job configurations

output.elasticsearch:
  hosts: ["192.168.0.xxx:9200"]

Output log

|2018-10-05T10:41:09.296-0300|INFO|elasticsearch/client.go:712|Connected to Elasticsearch version 6.4.1|
|---|---|---|---|
|2018-10-05T10:41:09.297-0300|INFO|kibana/client.go:113|Kibana url: http://192.168.0.xxx:5601|
|2018-10-05T10:41:37.452-0300|INFO|instance/beat.go:659|Kibana dashboards successfully loaded.|
|2018-10-05T10:41:37.452-0300|INFO|elasticsearch/client.go:163|Elasticsearch url: http://192.168.0.xxx:9200|
|2018-10-05T10:41:37.455-0300|INFO|elasticsearch/client.go:712|Connected to Elasticsearch version 6.4.1|
|2018-10-05T10:41:37.455-0300|INFO|kibana/client.go:113|Kibana url: http://192.168.0.xxx:5601|

For example,from Kibana -> visualize -> select "SSH login attempts [Filebeat System]" , and the field is empty but search option and only list with ...keyboard system.auth.ssh.event.keyword when the doc says system.auth.ssh.event .

mcoa · October 8, 2018, 9:33pm

Hello,
The solution was delete an rebuild the filebeat and .kibana index. No idea what was wrong before.

Thanks.

system · November 5, 2018, 9:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.