Kibana Not seeing Indexes

Elastic Stack Kibana
1

Hi,

Seem to have an issue with Kibana seeing indexes properly. I have a index pattern called winlogbeat-6.2.4-*

In elastic-hq i can see the indexes winlogbeat-6.2.4-2018.04.20 for each day but when i go to discover i get:

There is a problem with this saved object
The index pattern associated with this object no longer exists.
If you know what this error means, go ahead and fix it — otherwise click the delete button above.

If i change to either winlogbeat-6.2.4-* or winlogbeat-6.2.4 i still get the error:

kibanaSavedObjectMeta.searchSourceJSON
{
"index": "winlogbeat-6.2.4-*",
"highlightAll": true,
"version": true,
"query": {
"language": "lucene",
"query": "computer_name: Veeam1 AND message: Warning"
},
"filter": []
}

Any help would be great, i can`t seem to get my head round having the indexes working in Kibana.

Cheers,

2

It seems like your index pattern definition inside Kibana is vanished (for whatever reason).

Please use the button provided in the UI or head to the index pattern page in management to recreate the index pattern. For other saved objects (dashboard, visualizations, etc.) to continue working, you will need to reuse the same ID, that the old index pattern had (which should work automatically if you use the link provided in the UI).

Cheers,
Tim

3

Hi,

Thanks for the super quick reply. Which button (sorry i`m starting out still). When re-creating the index pattern do i use winlogbeat-* as i seem to have indexes with winlogbeat- and winlogbeat-6.2.4:

winlogbeat-2018.04.24 248.1k 5 1 240.3 MB 4.6 MB
winlogbeat-2018.04.25 1.6m 5 1 1.3 GB 25.5 MB
winlogbeat-2018.04.26 53.3k 5 1 50.3 MB 991.4 KB
winlogbeat-6.2.4-2018.04.20 4.1k 5 1 5.5 MB 76.6 KB
winlogbeat-6.2.4-2018.04.21 143 5 1 229.7 KB 6.3 KB

Also how do i find the original ID, or the link?

regards,

4

Oh sorry I thought you were getting a different error message. Yeah in that case I think you just need to recreate the index pattern and there is no "original ID", which most likely also means that you cannot reuse existing dashboards etc. Maybe if you are using beats, you could try recreating all those dashboard using the appropriate beats command.

Otherwise I think you want to add winlogbeat-* as index pattern, if you want to have access to all the data, with winlogbeat-6.2.4-* you would only get access to the indexes from 2018-04-20 and 2018-04-21 and not the newer ones.

Cheers,
Tim

5

Hi,

Ok i have performed the following:

Deleted all indexes in elastic, i`m going to start a fresh with new data.
Deleted all existing index patterns in kibana
Created new index pattern called winlogbeat-*
Removed all data from my second node, restarted elastic service, i can see that is replicating
Deleted all dashboards
Deleted all visualisations
Deleted all searches i had

So next do i just need to ensure all my beats agents are restarted and then run the setup kibana to re-create the dashboards and visualisations?

regards,

6

I think you should still delete that index pattern in Kibana, but besides that everything should be fine. The beats setup should setup everything correctly for you if you are using a fresh installation (no dashboards, indexex, etc.)

Cheers,
Tim

7

Sure :slight_smile: I have a working dashboard so i can see event types coming in which is good to see!

I have updated the winlogbeat.yml on each host to talk directly to elastic instead of logstash, is their any benefit to using logstash instead?

regards,

8

I think you should ask this questions rather in the Beats subforum, for proper answers. I could move the topic there, but I think you would get more attention if you just open a new question there (since it doesn't already show that it has several answers). Would that be okay for you?

Cheers,
Tim

9

I will open a new one :slight_smile:

Class this as resolved and i appreciate your time on this :slight_smile:

Regards,

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.