Searching Does not Return Results - Challenge

Not really as I can't reproduce anything with that.

What is the source of the data? How did you inject it?

We're using filebeats and the 0365.yml file.
I can successfully search using o365.audit.ExtendedProperties.RequestType:"OAuth2:Token" and get results. I can search using persons_name@somecompanyemail.com and that works fine. I don't understand why "OAuth2:Token" would not work.

I don't know exactly how this module works.

If you can reproduce that behavior with a script reproduction as I shared, that'd help to help you.

Otherwise, you can ask in #elastic-stack:beats using the #filebeat tag and someone might be able to help or say if it's a bug.

I will have to work on using a script.

I haven't had a chance to look at the scripting.

I haven't had a chance to learn to use the script as requested.

I posted in the suggested forum Searching Does not Return Results - Challenge. I don't think I will get to the scripting anytime soon.

I have not received a reply in the alternative forum.

You asked for the exact same question.

And as @warkolm and myself asked, you need to provide enough information so we understand what you are doing and how exactly.

Again, my recommendation would be to provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Does anyone use Kibana for searching data in Elastic? I'm putting a search term in the Kibana search box sort of what one would do if he or she were searching using Google. Is it possible to put data in Elastic in a way where it can't be found?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.