How can I update the index_id associated to a visualisation?
I first enabled the Suricata Module from Filebeat and all the dashboard and visualisations were loading correctly. (Output to Elasticsearch and Kibana)
Due to changes in the data I was sending from Beats, I had to delete and create a new index but now created from Logstash. (Filebeat -> Logstash -> Elasticsearch). Since this new index was created, I can't load any visualizations.
I have recreated the index using the same name but I believe the visualisation is linked to the previous index_id. I can also see the logs coming through on the 'explore' view.
I have also reloaded the Suricata module from filebeat which I believe should reload the visualisations to the right index. Before reloading the module, I deleted the filebeat index and kibana index but I’m still having the same issue.
In the 'SIEM' view, the Suricata logs are detected correctly as you can see here:
I have also tried to export the visualization from the saved objects but I'm getting this error in Kibana:
{"type":"response","@timestamp":"2019-09-21T06:23:24Z","tags":,"pid":7,"method":"post","statusCode":400,"req":{"url":"/api/saved_objects/_export","method":"post","headers":{"host":"kibanamydomain.com:5601","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0","accept":"/","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://kibanamydomain.com:5601/app/kibana","kbn-version":"7.3.2","content-type":"application/json","origin":"http://kibanamydomain.com:5601","content-length":"115","connection":"keep-alive"},"remoteAddress":"192.168.1.101","userAgent":"192.168.1.101","referer":"http://kibanamydomain.com:5601/app/kibana"},"res":{"statusCode":400,"responseTime":46,"contentLength":9},"message":"POST /api/saved_objects/_export 400 46ms - 9.0B"}
Filebeats 7.3.2
Kibana 7.3.2
Elasticsearch 7.3.1
Any help will be much appreciated.
Thanks
Camilo.