MongoDB logs no more displayed in Kibana Filebeat MongoDB dashboard after 7.10 migration

ORich · January 27, 2021, 9:53am

Dear experts,
after migration from 6.5.4 to 7.10.2, I cannot display anymore my logs collected by the default Filebeat MongoDB module in Kibana Dashboard Overview [Filebeat MongoDB].
I notice some updates in the provided pipeline filebeat-x.x.x-mongodb-log-pipeline between 6.5 and 7.10.
For instance, the field mongodb.log.severity in 6.5 is replaced by log.level in 7.10 but according to 7.10 documentation mongodb.log.severity is defined as an alias to log.level. However mongodb.log.sevirity is not displayed anymore in Kibana Discover view left pannel i.e. only mongodb.log.component and mongodb.log.context are still available.

When inspecting the request invoked from Kibana dasboard, I always get 0 hints albeit I have many log entries in my index filebeat-7.10.2-mongodb-2021.01.27-000001managed by ilm.

Please help since I do not see anymore direction to investigate further more.
Thanks & Best Regards

      "query": {
        "bool": {
          "must": [
            {
              "query_string": {
                "query": "mongodb.log.severity: *",
                "analyze_wildcard": true,
                "time_zone": "Europe/Paris"
              }
            },
            {
              "query_string": {
                "query": "*",
                "analyze_wildcard": true,
                "time_zone": "Europe/Paris"
              }
            }
          ],

ORich · January 27, 2021, 1:10pm

Hi @Marius_Dragomir, I noticed your gave some help on a similar case last Sept 2020 ... I just would like to add that I do face the same issue whith nginx dashboard : no data displayed ... Please note that I have a specific index per application I am collecting the logs from : mongodb, nginx, ... :

ORich · January 28, 2021, 10:29am

I noticed that Kibana is offering 2 dashboards relative to MongoDB:

Overview [Filebeat MongoDB]
[Filebeat MongoDB] Overview ECS

The second one is displaying all MongoDB log information as expected because he does filter the field log.level.

I have no idea why we have 2 distinctive dashboards for MongoDB in Elastic 7.10.2 with such opposite behaviors ?

Thanks

  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "exists": {
                  "field": "log.level"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-01-28T09:24:04.075Z",
              "lte": "2021-01-28T10:24:04.075Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }

ORich · January 28, 2021, 10:38am

Same remark for Nginx dashboard ... ECS does the job as expected

wylie · January 28, 2021, 5:20pm

You may want to ask your beats and ECS questions in the separate Beats forum that we have, monitored by the teams that work on those products.

I can help you with your Discover question, which has a simple answer: alias type fields, and multi-mapped fields in general, are not shown in Discover. We have recently merged changes to this which will get rolled out in future versions of the stack, but for now this is expected behavior.

I can't help you understand why there are 2 similar dashboards, but it seems like one of these 2 things is true:

a. Maybe one of the dashboards was carried over from previous versions of filebeat
b. Maybe this is intentional and filebeat expects you to analyze the data in 2 different ways

ORich · January 29, 2021, 7:37am

Thanks for your supprot @wylie . I guess option a. Maybe one of the dashboards was carried over from previous versions of filebeat is the good one. I gonna try to retag my case as Beat to get Beats experts feedbacks.

Have a good day.