Unable to fetch mapping. do you have indices matching the pattern error

sanjays · April 25, 2017, 8:21am

Hello,

I am unable to configure an index pattern, experiencing following issue .

verified index in elastic search

[root@elk ~]# curl 'localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open metricbeat-2017.53.25 uWyW-R6_RGq9CwVzS-aUKA 5 1 1242 0 1.3mb 1.3mb
yellow open metricbeat-2017.37.25 V1O1XmyZSUe6gFrNTXIEog 5 1 1243 0 1.3mb 1.3mb
yellow open filebeat-2017.00.25 FyvyzYINQkGV7T-rmmrdrw 5 1 4 0 40.7kb 40.7kb
yellow open winlogbeat-2017.27.24 o1pD0XTJReC_9lH8sCa3GQ 5 1 1 0 19.4kb 19.4kb

I appreciate any help.

LeeDr · April 26, 2017, 1:24pm

You have to change that logstash-* to a pattern that matches the index names you have in Elasticsearch. Then Kibana will query Elasticsearch to see if it finds indices that match and will return any date type fields so that you can select which one to use as the Time-field name (I almost always select @timestamp).

So for example, you would probably want to create 3 index patterns to match the data you have in Elasticsearch;
metricbeat-*
filebeat-*
winlogbeat-*

Type each of those patterns into the field that currently shows logstash-*, wait a second or two for Kibana to query Elasticsearch, then select the time-field value you want. and click Create button.

You could also create one like *beat-* which would allow you to search across all the indices. But those 3 beats will have very different fields in them so this index pattern would have limited uses and might just be confusing.

Regards,
Lee

sanjays · April 28, 2017, 5:20pm

Thanks for your help. I have changed pattern to match it's working now.

Thanks,
Sanjay

system · May 26, 2017, 5:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.