I used ./metricbeat setup to import the template of metricbeat. However the screen of the settings is blank so I cant select the event.dataset.keyword field over event.dataset field to remove this message.
What would you guys recommend? Is there an easy way to edit the field where to get the data from?
@Peter_Steenbergen I think what's happened here is that there is an index matching the metricbeat-* pattern that doesn't have the mappings applied properly. It's almost like an event was indexed before the mapping template (from metricbeat setup) was in place. When that happens Elasticsearch defaults to the default mappings which gives you two fields event.dataset which is a "text" field and event.dataset.keyword which is a "keyword" field. The proper Metricbeat template defines event.dataset as a "keyword" field.
The quick fix would be to run DELETE metricbeat-* in the console. Then when the next event shows up it will re-create the index with the proper mappings.
Hmm weird, deleting the index did not get it processed. I gave a server to little rights. so the ILM etc kicked in but not trigger the template. I pushed it manually now.
You're the second case I've seen this week with almost the same issue. It sounds like you're using ILM, is there more details you can provide around how your metricbeat-* indices are being managed? I wonder if there is a bug somewhere that's not setting up the indices right?
I will check this out later today or tomorrow. I will stop the monitors connected to it, and connect 1 after one by resetting everything. Best way to find a bug still in beta for the cluster anyways so no big deal (yet) ;).
It was a bit weird while debugging. How I fixed it was. Stopping all the connected metricbeats as a service (systemctl stop metricbeat). Removed all the indexes, and patterns and index template of metricbeat.
I downloaded the latest update of metricbeat to my osx machine locally and connected to the live location. I ran this afterwards:
./metricbeat setup -e
After that I got 2 index patterns of metricbeat-* and one of which had event.dataset as a text field and subfield of keyword. The second one was the correct one of the needed keyword. Why did there were 2 index patterns after setting it up, I have no clue but after removal of the wrong one, everything works again with no changes on the workers whatsoever.
Can't seem to reproduce it on a new stack, but will try later with a 7.4.2 version and then reupgrade again to see if I can reproduce it.
@Peter_Steenbergen First off... Thanks for the update! This will help us come up with a work around for other users who might experience this class of issues. I'm going to send this thread to our Beats team and see if they have any insights.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.