It seems that the default behavior of filebeat setup --dashboards is to load all dashboards rather than just dashboards for the modules enabled via config or --modules.
Is there a way to only have filebeat setup --dashboards load Kibana dashboards for one specific module? Otherwise, it takes a significant amount of time for filebeat setup to run and load about 80 dashboards that we don't use.
Reproducible example from docker.elastic.co/beats/filebeat:8.5.3:
cat << EOF > /tmp/filebeat.yml
filebeat.config:
modules:
path: \${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.overwrite_pipelines: true
filebeat.modules:
- module: suricata
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
setup.kibana:
host: kibana-8-kb-http:5601
protocol: http
username: REDACTED
password: REDACTED
output.elasticsearch:
hosts: ["elastic8-es-http:9200"]
protocol: https
ssl:
verification_mode: none
username: REDACTED
password: REDACTED
index: "suricata-eve-%{[agent.version]}"
setup.dashboards:
enabled: true
index: "suricata-eve-*"
setup.template:
enabled: true
name: "suricata-eve-%{[agent.version]}"
pattern: "suricata-eve-%{[agent.version]}"
overwrite: true
settings:
index.number_of_shards: 5
index.number_of_replicas: 1
setup.ilm:
enabled: true
policy_name: 90-days-default
EOF
filebeat setup \
-e \
--path.config /tmp \
--pipelines \
--dashboards \
--index-management \
--modules suricata
Note: the setup above is for a Filebeat->Kafka->Logstash->Elasticsearch pipeline.