Hello all. I just upgraded the Elastic stack we have across the board to 7.10. Logstash and 5 Elastic nodes with auditbeat, metricbeat, and filebeat. After upgrade I took the necessary steps and stopped the output to Logstash, used the setup utility for each beat, made a connection to elasticsearch directly and loaded the new templates as well as the default dashboards.
Everything went well, but I think I am missing something or didn't do something correctly in Kibana, because afterwards, I went into Kibana and we have existing index patterns (auditbeat-, filebeat-, and metricbeat-)... so I made new ones and called them (auditbeat-7.10-, etc ,etc), and they matches the new indices that was made (metricbeat-7.10.0-timestamp)... after i did this, it didn't really work and a couple of strange things happened:
-
The ingestion worked fine but it's writing all the beats to the old 7.9.3 indices that were in use before the upgrade!
-
It made a duplicate of the index patterns...so now there are (2) two filebeat-, (2) two auditbeat-, etc... one of them has an error and is empty but the other is fine.
How would I go about cleaning this up and writing the new 7.10 data to the new index templates, etc. (which have far more fields and no mapping conclicts) as well as get rid of the bad index-pattern? I am afraid to delete any of the metricbeat-* type index patterns because of being tied with the dashboards, etc. with UUID's..
Thanks!