Please refer to the link for the problem history. since the title does not fit the questions in the end after I have digged further in the problem, maybe it is better to rephrase.
I got filebeat to feed apache access and error log to elasticsearch. It is awesome and the filebeat provided dashboard is great as well.
However, when I filtered and show only data from the error log, the map will become empty. After some investigation, it is found that the Visualize request has a filter to query "access" log only and that is why the map is empty when I looked for the error log.
The filter looks like this:
"bool": {
"should": [
{
"match": {
"event.dataset": "apache.access"
}
}
],
But I cannot find any filters configured in the Visualize. So:
- how can I remove the filter from the Visualize?
- why on earth Elasticsearch set filter on this (I am using the provided dashboard)? should we also care about where those clients are located though the requests were denied?