Saved "field" parameter is now invalid. Please select a new field

Elastic Stack Beats
1

hello everybody,

I am setting up ILM and I am having an error in kibana dashboards: Saved "field" parameter is now invalid. Please select a new field.

here are the steps that I followed:

Create ILM policy:

PUT _ilm/policy/hot-warm-cold-delete-60days-policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size":"20gb",
            "max_age":"30d"
          },
          "set_priority": {
            "priority": 50
          }
        }
      },
      "warm": {
        "actions": {
          "forcemerge": {
            "max_num_segments": 1
          },
          "shrink": {
            "number_of_shards": 1
          },
          "allocate": {
            "require": {
              "data": "warm"
            }
          },
          "set_priority": {
            "priority": 25
          }
        }
      },
      "cold": {
        "min_age": "30d",
        "actions": {
          "set_priority": {
            "priority": 0
          },
          "freeze": {},
          "allocate": {
            "require": {
              "data": "cold"
            }
          }
        }
      },
      "delete": {
        "min_age": "60d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

Create a template:


PUT _template/winlogbeat
{
  "index_patterns": ["winlogbeat-*"], 
  "settings": {
    "number_of_shards": 40,
    "number_of_replicas": 1,
    "index.lifecycle.name": "hot-warm-cold-delete-60days-policy",  
    "index.lifecycle.rollover_alias": "winlogbeat"
  }
}

Bootstrap the first index:

PUT winlogbeat-000001
{
  "aliases": {
    "winlogbeat": {
      "is_write_index": true
    }
  }
}

Winlogbeat.yml configuration:

setup.ilm.enabled: auto
setup.ilm.rollover_alias: "winlogbeat"
setup.ilm.pattern: "000001"
setup.ilm.policy_name: "hot-warm-cold-delete-60days-policy"
setup.template.name: "winlogbeat"	
setup.template.pattern: "winlogbeat-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 40
  index.number_of_replicas: 1

run Winlogbeat:

.\winlogbeat.exe setup -e
Start-Service winlogbeat

could someone tell me where is the mistake here please !!
thanks !

2

What does the following Elasticsearch API call return?

GET _cat/templates/win*

Shaunak

3

Thanks for your answer @shaunak,
when I run:

GET _cat/templates/win*

I get this output :

winlogbeat [winlogbeat-*] 1
4

Great. Next, let's look at the contents of that index template:

GET _template/winlogbeat

Also, I forgot to ask before: what versions of Winlogbeat and Elasticsearch are you running?

Thanks,

Shaunak

5

Hello,
I am using Elasticsearch from source code, so it's (8.0), with winlogbeat 7.8.0

when I run:

GET _template/winlogbeat

I get this output: (I AM sorry to use an image, cause The number of caracters is limited )

Output
Output1457×830 73.9 KB

6

I tried these steps:

1- Re-index Data

POST _reindex
{
  "source": {
    "index": "winlogbeat-000001"
  },
  "dest": {
    "index": "winlogbeat-000002"
  }
}

2- Point the new index to the alias:

POST _aliases
{
  "actions": [
    { "add": {
          "alias": "winlogbeat",
          "index": "winlogbeat-000002"
        }}
      ]
}

3- Stop winlogbeat: Stop-Service winlogbeat
4- setup again dashboard: .\winlogbeat.exe setup --dashboards
5- Start winlogbeat Start-Service winlogbeat
6- Refresh Winlogbeat index from kibana

Now the dashboards are working still just have one error in one dashboard :

Could not locate that index-pattern-field (id: winlog.event_data.OldTargetUserName)
7

I tried to use Winlogbeat 7.8.1 from code source, and I had the same issue, and when I try the same method that I used with winlogbeat 7.8.0 some dashboards don't work
I have 2 errors:

Could not locate that index-pattern-field (id: winlog.logon.id)

and

Could not locate that index-pattern-field (id: winlog.event_data.OldTargetUserName)

Could someone help me with these errors please !

Thanks

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.