Kibana Dashbaird shows "No results found"

I installed Suricata 6.0.0 and using filebeat to ship events >logstash>elasticseacrh
I can see Suricata events when checking Discovery in Kibana. However , when trying to run Suricata Events dashboards ,I get "No sutures found"

The following error is :
Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.

When I try to to set "host.name" fileddata=true , the error is not shown up . Hoever, still the dashboard return no results . I am new to ELK . Can anyone help out please?

it seems like host.name should be a keyword field but is indexed as "text". Try changing your mapping and re-ingesting your data and see whether it helps.

Hi flash1293,
The issue fixed . I commented the input section in filebeat.yml and depends only on suricata module under /etc/filebeat/module.d/suricata.yml. When I did that , kibana confirmed data is received from"suricata module". Then Suricata dashboards in Kibana started showing data .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.