Precreated dashboards - no results found - different columns

Elastic Stack Kibana
1

Hello, I'm using Kibana 5.4.0 and I've imported dashboards with (filebeat util) /usr/share/filebeat/scripts/import_dashboards (it downloaded beats-dashboards-5.4.0.zip).

Problem is that fields in Elasticsearch (added with Logstash) are different than those in dashboards.
I'm sending logs from clients with Filebeat, processing them with Logstash and saving into Elasticsearch.
In Kibana I'm using filebeat-* mapping.

For example field system.syslog.hostname:

but in index there is syslog_hostname:

Dashboard are empty then (yes, I have 90 days ago selected so range is not problem):

image.png820×340 17.3 KB

What should I do to have dashboards working? Thanks.

2

Hi,
Can't you simply rename the fields in the logstash filter so that they match those from the dashboard?
For example :

filter {
  mutate {
    rename => { "syslog_hostname" => "[system][syslog][hostname]" }
  }
}

I'm not entirely sure on the nested syntax but I tihnk it would be something like this

3

I can rename them, yes, thank you for suggestion. But is it neccessary? Why are columns different? system.syslog.hostname is from filebeat documentation; why is it changed in logstash?

4

I have similar issues, even with the correct hostnames.

I see all the available fields, I can see file beats actually pushing the syslog, but the dashboard shows nothing?

June 13th 2017, 09:35:44.714 { "@timestamp": "2017-06-13T08:35:44.714Z", "offset": 5970, "@version": "1", "input_type": "log", "beat": { "hostname": "ip-172-31-33-241", "name": "ip-172-31-33-241", "version": "5.4.0" }, "host": "ip-172-31-33-241", "source": "/var/log/syslog", "message": "Jun 13 08:35:44 ip-172-31-33-241 systemd[1]: Stopping filebeat...", "type": "log", "tags": [

Then I load the dashboard, I get "No results found"

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.