I am all very new to the ELK stack.
I am attempting to implement a risk based score into my test environment. I have successfully set up alerts into the SIEM. However, when I go into the timeline, the displayed data views, are my indices (I think thats the right word) and not the data views. This means I am getting no data into the timeline.
All of the "Data views" inside the image are actually indices
Any help would be appreciated.
I cannot find any other topics surrounding this issue.
Hi there @AndyBox2. Welcome to the Elastic community and thank you for reaching out with your question. What version of Kibana are you using? The following response is assuming you are on at least the 8.0 series.
Data views contain an index pattern. They can also have a descriptive title. As this is an optional field, in the Security Solution data view selector we display the index pattern itself and not the data view title (except for our default data view).
Here is an example data view called Steph's Data view with an index pattern of filebeat-*,packetbeat-*,auditbeat-*:
All of this aside, I don't think you need to create a new data view to see your alerts data in Timeline. The alerts index in the default space is named .alerts-security.alerts-default. This is part of the default security solution data view:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
