Kibana 7.3 - Default Dashboard for IIS - 3 of 5 Elements Have Visualization Errors

antonio84 · September 18, 2019, 7:14pm

Fresh install ELK Stack v7.3, with Filebeat agent on a Win 2012 Server.

I'm using the [Filebeat IIS] Access and Error Logs ECS dashboard, and each time it loads, I get three errors about visualization.
Two of the Elements work just fine, the "Response Code over time" and "Error logs over time".

But, the Browsers Breakdown, OS Breakdown, and Top URLs do not show anything. When I click on Inspect, they show no data.

I am using Filebeat to send logs directly to Elasticsearch, I'm not using logstash.

When I try to load the dashboards from my Windows server running Filebeat, I get the below. It might be due to having them loaded already?

Exiting: Failed to import dashboard: Failed to load directory C:\Program Files\Filebeat\kibana/7/dashboard:
  error loading C:\Program Files\Filebeat\kibana\7\dashboard\Filebeat-iis.json: index [.kibana_1] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];. Response: {"objects":[{"id":"eb2db5b0-fe11-11e7-a3b0-d13028918f9f-ecs","type":"visualization","error":{"message":"index [.kibana_1] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"}},{"id":"f31414b0-fe14-11e7-a3b0-d13028918f9f-ecs","type":"vis... (truncated)

Here is the error regarding the Visualizations when I load the page:

{
  "message": "[esaggs] > Request to Elasticsearch failed: {\"error\":{\"root_cause\":[{\"type\":\"illegal_argument_exception\",\"reason\":\"Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.\"}],\"type\":\"search_phase_execution_exception\",\"reason\":\"all shards failed\",\"phase\":\"query\",\"grouped\":true,\"failed_shards\":[{\"shard\":0,\"index\":\"filebeat-7.3.0\",\"node\":\"skjSGSf6SZSkjhOsrh0Ubw\",\"reason\":{\"type\":\"illegal_argument_exception\",\"reason\":\"Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.\"}}],\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.\"}}},\"status\":400}",
  "origError": false,
  "resp": {
    "error": {
      "root_cause": [
        {
          "type": "illegal_argument_exception",
          "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
        }
      ],
      "type": "search_phase_execution_exception",
      "reason": "all shards failed",
      "phase": "query",
      "grouped": true,
      "failed_shards": [
        {
          "shard": 0,
          "index": "filebeat-7.3.0",
          "node": "skjSGSf6SZSkjhOsrh0Ubw",
          "reason": {
            "type": "illegal_argument_exception",
            "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
          }
        }
      ],
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [url.path] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
        }
      }
    },
    "status": 400
  }
}

pmercado · September 19, 2019, 7:23am

Hi @antonio84,

I think that error is a well known one.
Can you make sure that your index template is up to date, and that that field url.path is typed keyword

antonio84 · September 19, 2019, 2:26pm

Sorry for the newbie question, but what does “index template up to date” mean? I’ve been trying to troubleshoot the index template, unsuccessfully.

Also, where is url.path located? I found one in the log4j2.properties:

            %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\
         
        "url.path" the URI component between the port and the query string; it is percent (URL) encoded

system · October 17, 2019, 2:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.