Filebeat OSQuery cannot locate index pattern

rcoundon · January 30, 2019, 7:52am

Using ElasticCloud 6.6.0 I'm trying to ship OSQuery data via Filebeat to Elasticstash.

On the machine with Filebeat I've set it up to connect to the Elastic Cloud Elasticsearch cluster and run "filebeat setup" where it tells me the dashboards are loaded correctly.

I can see in /var/log/filebeat/filebeat that data is being sent.

However, when I try to view the data in the Kibana OSQuery Compliance dashboard (note there's a small typo in the link on that page, it says Compilance instead of Compliance)
I see the message:

Could not locate that index-pattern-field (id: osquery.result.columns.platform_like) in each of the 1st three panes and then No Results Found in the rest.

What could be going on?

kvch · January 30, 2019, 8:53am

What index pattern have you set?

rcoundon · January 30, 2019, 8:55am

I haven't specifically set any index patterns for this as I thought that those were provided by the Filebeat setup and I don't know what the Dashboard is expecting. I couldn't see anything in the docs for that.

rcoundon · January 30, 2019, 9:26pm

Can you advise, what index patterns should I set?

system · February 27, 2019, 9:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.