Anyone an idea why the ml job does not seem to start processing records? There is definitely signin data in our filebeat index.
Any sugggestion is welcome to make this work. I'm trying to replicate some Azure Sentinel functionalities and find out when a user is signing in from a anomalous location.
(first time I'm using the lat_long detector so it's probably a rooky mistake)
The field_name that you supply must be a single string that contains two comma-separated numbers of the form latitude,longitude , a geo_point field, a geo_shape field that contains point values, or a geo_centroid aggregation. The latitude and longitude must be in the range -180 to 180 and represent a point on the surface of the Earth.
Can you verify the type of field your geo.location field is mapped as?
If you're seeing nothing in the datafeed preview you should probably test to see if your query of the raw data is working as expected. Take what you have as the datafeed query and try it as a standard _search (I'm guessing below that your index pattern is indeed filebeat-*, but modify if necessary):
Hmm...well there is nothing obvious that is wrong. I attempted a similar configuration using the kibana_sample_data_ecommerce data that ships with Kibana.
Perhaps try it on the sample data and then compare with your "real" setup and see what is different? If you cannot figure it out after that, It will be hard to debug further in this setting. A proper Support Case would likely be necessary.
Not sure what I'm doing wrong on my Azure signin logs.. Tried recreating the lat_long("geo.location") by "azure.signinlogs.identity" but again no records processed.
Well I created the job 2 dyas or so after we started using the signing logs dataset. And configured it to start from the beginning of the data and continue. I attached a video to the case. Grtz
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.