I'm trying to search for an IP (example query on search page: 127.0.0.1) in the filebeat-* index, and the results indicate 0. If I put *.ip:127.0.0.1 it works fine (I get results with desintation and source IPs). Appears to be the same with KQL or lucene.
My concern and question is, shouldn't kibana be searching all fields if I don't specify one? I'm running kibana 7.6.1.
Hello
Thanks for your question. By default if you are not having any search criteria in the search bar, it shows the data polled for the last hour. I just installed sample data and saw this.
Is that what you see ?Thanks
Rashmi
It's not an issue with the time range.
I believe the issue is that the various source.ip/destination.ip fields are not listed in the filebeat template query defaul_field list. I'm not sure why though.
Relevant issues -
Thanks for posting those links, really helpful. Also copying our infra docker expert @jarpy for more insights into this. He will get back to you when he has some time.
Thanks
Rashmi
It's a little bit out of my domain, by I think that @opoplawski is on the right track with those issues. We should see if we can get the Beats team to address them.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
