Hello World!
I'm trying out Infrastructure (infra) Kibana' app, yet getting following message:
There is no data to display.
metricbeat-* exists with some data in it (mostly from system module)
Please advise.
Hello @alexus 
How are you sending your data to elasticsearch, with metricbeat or through logstash? The UI relies on the correct index template to be used for the metricbeat-* indices, which should work out of the box when you use metricbeat, but might need some extra setup when you use logstash.
In detail, we rely on certain fields containing strings being of type keyword (not text). To check if that could be the cause of your problem, could you give us a sample of the output when querying
/metricbeat-*/_mapping/doc/field/beat.hostname
on your Elasticsearch API?
data is being shipped by metricbeat directly into elasticsearch and template metricbeat-6.6.0 is in place.
GET /metricbeat-*/_mapping/doc/field/beat.hostname
{
"metricbeat-6.6.0-2019.02.08" : {
"mappings" : {
"doc" : {
"beat.hostname" : {
"full_name" : "beat.hostname",
"mapping" : {
"hostname" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}
}Looks like the index templates are not installed correctly for metricbeat-*. Are you sending Metricbeat through Logstash or Kafka or some other intermediary? The only reason I ask is when Metricbeat starts sending data it creates an index template for metricbeat-*. You might have to manually run metricbeat setup before you start indexing through an intermediary.
This link to our documentation goes into detail... https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-template.html
As I mentioned in my previous comment, metricbeat ships events directly into elasticsearch and template is there as well:
# curl --silent --request GET $ELASTICSEARCH_URI/_cat/templates/metricbeat-*
metricbeat-6.6.0 [metricbeat-6.6.0-*] 1
#I went to Kibana -> Management -> Saved Objects and removed everything related to *beat, followed by deleting relevant templates as well, then I re-run setup and now it's seems to be working fine)
Awesome! I'm glad we could get you pointed in the right direction.
I had the exact same issue. Lots of metricbeat data is in our cluster and the kibana index mapping metricbeat-* exists. The Infra UI waffle map worked just fine in v6.5.4 and previous versions but after upgrading to v6.6.1 the Infra UI would not display any data for me.
To fix, I needed to manually add in a setting override in my /etc/kibana/kibana.yml configuration file:
xpack.infra.sources.default.fields.host: 'beat.hostname'
Once I added in this setting and restarted the Kibana instances the Infra UI waffle map appeared showing metricbeat data as expected.
I wonder if the reason why this is occurring is because we still have a few different versions of Metricbeat in use in our fleet (v6.5.4, v6.5.2, v6.4, and so on)? Overriding the default host field in the kibana.yml seems to correct whatever the root cause is.
I'll report this issue in a support ticket to my rep
The problem here is that the index templates aren't installed correctly in 'metricbeat-*'.Try to correct it and u should get this solution.
I have similar problem again after I upgrade to 7.0.0. I can see the metricbeat stats on the main Infrastructure UI but when I click View metrics, it doesn't show anything. Is there any way to debug this? Thanks!
Do you know what version your data is? If it's older than 6.7 you are probably missing the event.dataset field. You can check this by running the following query in the dev console:
POST metricbeat-*/_search
{
"size": 0,
"aggs": {
"events": {
"terms": {
"field": "event.dataset",
"size": 10
}
}
}
}
The aggregation returned should have document counts for multiple event.dataset terms. If that field doesn't exist then the Metric detail page won't display. One option would be to re-index the data and combine the metricset.module and metricset.name fields to create a new event.dataset field (make sure the type is set to keyword in the mappings). The format should look like {metricset.module}.{metricset.name}, for example when metricset.module equals system and metricset.name equals cpu, the event.dataset field would be set to system.cpu.
For your reference and future troubleshooting, we have also documented the required fields for the Infrastructure UI at https://www.elastic.co/guide/en/infrastructure/guide/current/install-infrastructure-monitoring.html
1 Like
Hi @simianhacker, thanks for the response. I ran it and got the following result:
{
"took" : 7291,
"timed_out" : false,
"_shards" : {
"total" : 82,
"successful" : 82,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"events" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 46714,
"buckets" : [
{
"key" : "system.process",
"doc_count" : 26750955
},
{
"key" : "system.network",
"doc_count" : 12137510
},
{
"key" : "system.load",
"doc_count" : 3379313
},
{
"key" : "system.cpu",
"doc_count" : 3379286
},
{
"key" : "system.memory",
"doc_count" : 3379218
},
{
"key" : "system.process_summary",
"doc_count" : 3355753
},
{
"key" : "system.filesystem",
"doc_count" : 1836354
},
{
"key" : "system.socket_summary",
"doc_count" : 870837
},
{
"key" : "system.fsstat",
"doc_count" : 563302
},
{
"key" : "system.uptime",
"doc_count" : 37592
}
]
}
}
}
Does that mean that the field exist?
Can you run the same query but filter for the host you're trying to view?
POST metricbeat-*/_search
{
"size": 0,
"query": {
"match": {
"beat.hostname": "HOST_NAME_GOES_HERE"
}
},
"aggs": {
"events": {
"terms": {
"field": "event.dataset",
"size": 10
}
}
}
}
Also is there a way to post a REDACTED screen shot (with the sensitive data blurred out)? I have some 6.5 data that I added the event.dataset field to that is working on my laptop, we should be able to get this working for you.
Hi @simianhacker, I have run that query and here is the result:
{
"took" : 5950,
"timed_out" : false,
"_shards" : {
"total" : 82,
"successful" : 82,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"events" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 33302,
"buckets" : [
{
"key" : "system.process",
"doc_count" : 1820326
},
{
"key" : "system.network",
"doc_count" : 617868
},
{
"key" : "system.cpu",
"doc_count" : 308935
},
{
"key" : "system.load",
"doc_count" : 308935
},
{
"key" : "system.memory",
"doc_count" : 308934
},
{
"key" : "system.process_summary",
"doc_count" : 279075
},
{
"key" : "system.socket_summary",
"doc_count" : 174134
},
{
"key" : "system.filesystem",
"doc_count" : 102992
},
{
"key" : "system.fsstat",
"doc_count" : 51495
},
{
"key" : "system.process.summary",
"doc_count" : 29859
}
]
}
}
}
Does that mean it should be working?
I suppose I don't need to blur anything as it doesn't have any sensitive data.
You seems to have everything in place. I'm not sure why this isn't working. Let me think about it some more and see if I can figure this one out.
I wonder if it's related to this issue? https://github.com/elastic/kibana/issues/36061#issuecomment-489243870
Hi @simianhacker,
I have found the following errors in Chrome:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'nonce-4MnCvXbChcwkyN2p'". Either the 'unsafe-inline' keyword, a hash ('sha256-SHHSeLc0bp6xt4BoVVyUy+3IbVqp3ujLaR+s+kSP5UI='), or a nonce ('nonce-...') is required to enable inline execution.
bootstrap.js:10 ^ A single error about an inline script not firing due to content security policy is expected!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.