Filebeat dashboards broken for 6.0


(Djtecha) #1

Looks like there are several visualizations that need to have the .keyword value appended to them. Is this a known issue? Doesn't look like there's a 6.0 folder yet so that's my guess.


(ruflin) #2

Which filebeat version are you using? 6.0 dashboards are only in FB 5.6.


(Djtecha) #3

this is the default dir. I'll just wait for the 6.0 ones and modify the default ones to work for now. Not sure if it's a high priority.


(ruflin) #4

Which filebeat version do you have?


(Djtecha) #5

6.1 as I just upgraded. Just curious if there was a timetable for this or I should create my own method for installing custom dashboards.


(ruflin) #6

So if you go with 6.1 and load the dashboards, the filebeat dashboards are still broken? If they are broken, feel free to open a Github issue or directly a PR to fix it in the beats repo.


(Djtecha) #7

I can do that, but should I create a 6.0 folder or modify the default? because I'm sure the change I'll make won't be backwards compatible.


(Djtecha) #8

Actually, it kind of feels like these are generated on your end as they tend to use a specific ID hash. Not sure you want me to be making the pull requests in the .json files themselves.


(ruflin) #9

Can you be more specific which one of the dashboards is broken so I can try it out?

Just to be sure: You removed all dashboards you loaded with a beat < 5.6 and loaded the dashboards with 6.1. Then you see some errors in some / all of the filebeat dashboards?

For the directory, default is the one loaded with 6.x.


(Djtecha) #10

both the dashboard/visualization/save searches use the wrong fields on multiple occasions under the filebeat/modules/_meta/kibana directories. They will use a field that isn't the .keyword field so matches never occur in 6.x

Take for example:
beats/filebeat/module/system/_meta/kibana/5.x/visualization/f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json

one of the fields it uses is:
system.auth.useradd.name
but it should be:
system.auth.useradd.name.keyword

Basically a 6.x version should be cut since filebeat does a version check to load in the dashboards and probably don't want to break the default ones as they are pre 5.x


(ruflin) #11

Filebeat is shipped with 2 versions of the dashboards. One is in the 5.x directory and the other one in default. If you run filebeat against Kibana 6 and it loads the one from the 5.x directory this is a bug, it should load the ones from the default directory.


(Djtecha) #12

right, no it's using the default one. I'm just trying to get across the point that the default one also doesn't work quite right for 6.X for the same reasons and maybe we should cut a 6.x folder vs. fixing the default json files.


(ruflin) #13

@djtecha Thanks for your patience on this one. Some renaming of the directories to allow more flexbility is planned here: https://github.com/elastic/beats/pull/5328

For the issue with the keyword, perhapse @monica knows more? Could you also open a Github issue with it?


(system) #14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.