Elastic Stack 5.4, running a lab, forwarding 400, 500, and 501 events -- but I can't see event_data.param3.keyword as a dashboard option --
On Discovery I can see event_data.param3 but not event_data.param3 keyword...
and then under Management param3.keyword says it isn't searchable or aggregatable...
It looks as if you do not have the provided index template installed for the Winlogbeat. See https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html.
Yep, that was it... thanks Andrew I'm sure we'll have another question here soon.
This is awesome!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
