Kibana error fetching fields for index pattern

Hi,

Have seen this question pass by several times, however yet I have found no solution.
I have this ELK 7.7 stack. I try to index a log file and view the reults in Kibana.

I have quite a default kibana installation and have not enabled security .

However when I try to fetch data, I get the error: fetching fields for index pattern xxxx forbidden.

What is forbidden, why is it forbidden (since not enabled security) en how die I fix that?

Regards

edit:
The full error as copied from the error popup:

Wrapper@https://kibana.srv/bundles/commons.bundle.js:3:4001561
HttpFetchError@https://kibana.srv/bundles/commons.bundle.js:3:4003311
_callee3$@https://kibana.srv/bundles/commons.bundle.js:3:3997981
l@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970404
s/o._invoke</<@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970159
_/</e[t]@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970758
asyncGeneratorStep@https://kibana.srv/bundles/commons.bundle.js:3:3991496
_next@https://kibana.srv/bundles/commons.bundle.js:3:3991815
Q/<@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:938246
r@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:283:27572

Proper filtering in logstash was not in place, so kibana made it's own choices appaerantly. It helped to place the correct conf in /etc/logstash/conf.d

Wel, I removed my own solutionmark, since I still get the error.

The latest one:

Error fetching fields for index pattern index1-* (ID: d99abc40-cdb6-11ea-b35e-cdfa03767e2c)

    Forbidden

A click on "see the full error" gives:

_construct@https://kibana.srv/bundles/commons.bundle.js:3:4002451
Wrapper@https://kibana.srv/bundles/commons.bundle.js:3:4001561
HttpFetchError@https://kibana.srv/bundles/commons.bundle.js:3:4003311
_callee3$@https://kibana.srv/bundles/commons.bundle.js:3:3997981
l@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970404
s/o._invoke</<@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970159
_/</e[t]@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:970758
asyncGeneratorStep@https://kibana.srv/bundles/commons.bundle.js:3:3991496
_next@https://kibana.srv/bundles/commons.bundle.js:3:3991815
Q/<@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:938246
r@https://kibana.srv/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:283:27572

What might cause this? Never saw this on 6.x?

Have you looked at your elasticsearch config? I suspect there's a permissions issue.

EHmm... But what should I look at? I did not set any security at all,other d=than an nginx in front to go through ldap.

Perhaps it would be helpful to look at kibana and elasticsearch logs for errors.

If you go to Management -> Index Patterns and open index1-* do you get an error or can see the index pattern?

I see the index pattern

i get same issue. when i want to update, create, delete the index pattern i get error like bellow. its error in .kibana index? but when i save a visualization or dashboard its run normal without any error. i had see log in kibana.log and elastic, but i didnt find the error .

image1892×759 91 KB

Perhaps it would be helpful to look at kibana and elasticsearch logs for errors.

Checked kibana.log and the elasticsearch.log and server.json of the node kibana connects to. Both show no errors in the logs.

It must be something in my setup since I have 2 clusters which are setup the same way and both show this error.

@Tuckson could you post a har file with the error? I'm still not certain where the specific error is occuring.

@umay_fb I think you have a different problem from Tuckson. Could you post a har file with the error? I see a number of errors in your screenshot - the unexpected token, a failure to load js, and a 501 error. Any or all of these may be related or unrelated.

"response": {
                    "status": 501,
                    "statusText": "",
                    "httpVersion": "http/2.0",
                    "headers": [
                        {
                            "name": "status",
                            "value": "501"
                        },
                        {
                            "name": "server",
                            "value": "AkamaiGHost"
                        },
                        {
                            "name": "mime-version",
                            "value": "1.0"
                        },
                        {
                            "name": "content-type",
                            "value": "text/html"
                        },
                        {
                            "name": "content-length",
                            "value": "366"
                        },
                        {
                            "name": "expires",
                            "value": "Fri, 07 Aug 2020 02:06:30 GMT"
                        },
                        {
                            "name": "date",
                            "value": "Fri, 07 Aug 2020 02:06:30 GMT"
                        }
                    ],
                    "cookies": [],
                    "content": {
                        "size": 366,
                        "mimeType": "text/html"
                    },
                    "redirectURL": "",
                    "headersSize": -1,
                    "bodySize": -1,
                    "_transferSize": 488,
                    "_error": null
                },
                "serverIPAddress": "119.110.115.144",
                "startedDateTime": "2020-08-07T02:06:31.238Z",
                "time": 40.0919999810867,
                "timings": {
                    "blocked": 5.254999973088503,
                    "dns": -1,
                    "ssl": -1,
                    "connect": -1,
                    "send": 0.7010000000000001,
                    "wait": 31.378000020191074,
                    "receive": 2.757999987807125,
                    "_blocked_queueing": 2.778999973088503,
                    "_blocked_proxy": 0.5209999999999999
                }
            }
        ]
    }
}

here my har, sorry cause for lmit post only 13000 char i just post the response. its 501 error, is it error in server? but if in server why this error only appear when i create, delete and update index pattern?

Umay,

It is not very nice to jihack someones topic for your own questions when the original question has not been solved yet. It's also against the forumrules (See FAQ). Please be so kind as to open a seperate topic for your question.

Well, need to figure out how to post an attachment here...

In the mean time: currently running on ES & kibana 7.8.1, CentOS Linux release 7.8.2003 (Core)

Edit: Please find the har file (for a limited time under this link, since I seem not to be able to post files here.

Edit2:Since I wondered it might be something with filepermissions I checked those on my db's and kibana server. I did not find anything that made me wonder that cloud be the cause.

I can tell you're attempting to connect to your sever through Akamai. It would be good to try hitting it directly. Also, I can't see the request being made. You can use https://gist.github.com/ for sharing data.

Are you using a proxy of any sort? I see a couple of 401 errors that contain correct responses. I'm not sure why that would happen. I see an nginx error when attempting to update the index pattern field list.

Agreed, generally I don't mind but its probably playing havoc with notifications.

OK.

Issue solved.
Elastic has renamed a lot of fields when going from 6 to 7. Among these fields in 6 was also the 'beats' object which is partly replaced by the 'agent' object in 7.

However in the logstash filter the beats.name, beats.hostname en beats.version were specifically mapped to have them visible in our listings.

I changed this to proper names, pushed the configs en reindexed the bunch.

And now the error is gone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.