I have recently installed Packetbeat 6.6.2 on 2 of our internal servers.
They do not have access to Elasticsearch and go through Logstash.
Packetbeat was unzipped locally on the Elasticsearch machine (1 Node) and ran with the setup flags to allow for the set up of the index, dashboards etc.
The Logstash config simply passes all Packetbeat data through with an index "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY-MM}"
I see HTTP and flow data arriving into Elasticsearch via Kibana, but when loading the Packetbeat flows dashboard the Top Hosts creating traffic and Top hosts receiving traffic visualisations are unexpected high and keep climbing.
It seems like the visualisations are adding together stats.net_bytes_total for all time instead of that time period.
I had Packetbeat running overnight and came in this morning to the 2 dashboard visualisations showing 7 billion and growing.
These were reset this morning and the process repeated, but I was unable to figure out why the visualisations are doing this.
Is this behaviour expected? And is there anything I can do to remedy this as the dashboard feels like it is pretty useless with this behaviour.
