[Winlogbeat 7.10.1 dashboards]: could not locate some index pattern fields

Abdelhalim · December 31, 2020, 1:24pm

Hello,

I am using Elasticsearch, kibana and winlogbeat, all version 7.10.1

I configured winlogbeat and run: .\winlogbeat.exe setup -e and I had no error in my winlogbeat logs, but in kibana there are some dashboards working and some of them I am getting errors:

Could not locate that index-pattern-field (id: powershell.connected_user.name)
Could not locate that index-pattern-field (id: powershell.engine.version)
Could not locate that index-pattern-field (id: powershell.command.name)
Could not locate that index-pattern-field (id: powershell.provider.name)

Could you tell please how to solve these errors

Thanks

ethical20 · January 19, 2021, 10:40am

Having same issue here, did you managed to solve this out? Please let me no.

Regards,

Abdelhalim · January 19, 2021, 10:54am

Hi @ethical20,

Till now I didn't find out how to solve this errors, I will keep you updated if I find something
It could be cause I am not running powershell command in my machines, but in this case it should display 0 and not error, so a little bit confusing

Best regards

ethical20 · January 19, 2021, 11:02am

Thanks @Abdelhalim

Have you tried to rerun this .\winlogbeat.exe setup -e as listed here :

https://www.elastic.co/guide/en/beats/filebeat/current/could-not-locate-index-pattern.html

I couldn't manage to rerun this as it needs direct connection to elasticsearch and not logstash which is something I'm having trouble with. So if this run from your side with no errors please let me know.

Also I found this where we can add them manually, but honestly am not expert in this and I'm afraid to break things up.

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-mapping.html

Good Luck.

Regards,

Abdelhalim · January 19, 2021, 11:10am

I already tried .\winlogbeat.exe setup -e as I mentionned it in my first post, it worked correctly and I hadn't any error in my logs, the only problem is in the dashboards.

I couldn't understand why you couldn't run again the command ! if you have some errors in your logs, you can show them, and maybe I can help you

ethical20 · January 19, 2021, 3:28pm

update: I was able to run the command again , ingested the template and Kibana dashboards but unfortunately this didn't solve the main issue.

Still the number of fields in the index pattern the same with missing ones!