Security Onion - Kibana - Unable to load tooltip content in Maps

Elastic Stack Kibana
1

Hi,

New here and new to Kibana. Any help greatly appreciated. So I have setup Security Onion 2.3, I am using netflow to send logs from Meraki to Security Onion. I can see the logs, I can see the dots on the maps etc. When i come to do a document add in, and all the tooltip option so i can view what clients are accessing certain area's ( i assume thats how it works) I get a box up that says "unable to load tool tip content" its states Unable to find document_id

I have no idea where to look or what to change without breaking something. Can anyone help?

Thanks

2

What version of Kibana are you running? Can you show how your map layer is configured?

3

Hi,

Not sure how to get that info so i have upladed a screen shot?

image
image576×509 71.4 KB

The Kibana version is v 8.3.2 if im reading that from within Elastic? How else can i tell the version of Kibana?

Thanks for your help so far :slight_smile:

4

Can you provide more details about data view ':so-*'? Is it an elasticsearch index? Is it rolled up index? Or data stream? Are you using cross cluster search?

Tooltip properties are fetched with a request that looks like the below. Can you try running the command below in Console. Swapping kibana_sample_data_logs for your elasticsearch index name, PoR9NoIBxuPCX5j4sJD_ with your document id, and clientip with your field name. What is the response?

POST kibana_sample_data_logs/_search
{
 "track_total_hits": false,
 "size": 1,
 "_source": false,
 "fields": [
  "clientip"
 ],
 "query": {
  "bool": {
   "must": [],
   "filter": [
    {
     "bool": {
      "filter": [
       {
        "bool": {
         "should": [
          {
           "match_phrase": {
            "_id": "PoR9NoIBxuPCX5j4sJD_"
           }
          }
         ],
         "minimum_should_match": 1
        }
       },
       {
        "bool": {
         "should": [
          {
           "match_phrase": {
            "_index": "kibana_sample_data_logs"
           }
          }
         ],
         "minimum_should_match": 1
        }
       }
      ]
     }
    }
   ],
   "should": [],
   "must_not": []
  }
 }
}
5

Hi, im very new to all this, so thanks for your time in helping.

So, is this code you are referring to?

POST /*%3Aso-*/_mvt/source.geo.location/5/15/10
{
  "grid_precision": 0,
  "exact_bounds": true,
  "extent": 4096,
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2022-07-25T23:00:00.000Z",
              "lte": "2022-07-26T22:59:59.999Z"
            }
          }
        }
      ],
      "must": [],
      "must_not": [],
      "should": []
    }
  },
  "fields": [],
  "runtime_mappings": {},
  "track_total_hits": 10001,
  "with_labels": false
}

The above code is from here:

image
image659×532 65.5 KB

As for is it a rolled up index, i have no idea, how would i find that out? The data is coming from my netflow module within filebeats

If I have done this right, ive copied your code and amended it tot this:

POST /*%3Aso-*/_mvt/source.geo.location/5/15/10
{
 "track_total_hits": false,
 "size": 1,
 "_source": false,
 "fields": [
  "client.ip"
 ],
 "query": {
  "bool": {
   "must": [],
   "filter": [
    {
     "bool": {
      "filter": [
       {
        "bool": {
         "should": [
          {
           "match_phrase": {
            "_id": "vatnOYIBzmT8Qkyo7A4i_"
           }
          }
         ],
         "minimum_should_match": 1
        }
       },
       {
        "bool": {
         "should": [
          {
           "match_phrase": {
            "_index": "/*%3Aso-*/_mvt/source.geo.location/5/15/10"
           }
          }
         ],
         "minimum_should_match": 1
        }
       }
      ]
     }
    }
   ],
   "should": [],
   "must_not": []
  }
 }
}
and i get this error

{
  "error": "Incorrect HTTP method for uri [/*%3Aso-*%2F_mvt%2Fsource.geo.location%2F5%2F15%2F10?pretty=true] and method [POST], allowed: [HEAD, DELETE, PUT, GET]",
  "status": 405
}

Blockquote

6

So, is this code you are referring to?

No. That is a different request used to fetch the documents for a tile. You can tell by _mvt instead of _search in the path.

The inspector shows the requests for the data on screen, it does not show requests for fetching tooltip data.

What are the names of your indices in Elasticsearch? You can get this information by running GET /_cat/indices in console.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.