[Winlogbeat 7.10.1 dashboards]: could not locate some index pattern fields

Elastic Stack Kibana
#1

Hello,

I am using Elasticsearch, kibana, logstash, and winlogbeat, all version 7.10.1

I configured winlogbeat and run: .\winlogbeat.exe setup -e and I had no error in my winlogbeat logs, but in kibana there are some dashboards working and some of them I am getting errors:

Could not locate that index-pattern-field (id: powershell.connected_user.name) 
Could not locate that index-pattern-field (id: powershell.command.name)

The issue here is that the fields are not found in the index pattern.

image
image1341×673 32.3 KB

  • Also when trying to test some PowerShell commands on the beats clients I can see that they are not listed / counted in Kibana!

image
image1120×243 16.3 KB

Any help is really appreciated.

Regards,

#2

I think you need to click the refresh button on your Kibana index pattern- if I remember correctly, this is not automatically done with the setup command. Index patterns will automatically refresh starting in 7.11, but not yet.

#3

Thanks @wylie
unfortunately refreshing the index pattern didn't help in this, can you please tell if I can add them (the fields) manually and how?

#4

If you refreshed your index pattern and it's still missing fields, then that means you have a more basic problem. Are you sure that winlogbeat is set up correctly? Have you validated that you are seeing data from winlogbeat in Elastisearch?

#5

yes @wylie I've set up winlogbeat as listed in the documentation, also I've run the command

.\winlogbeat.exe setup -e

again in order to reship the assets (dashboards and index) as advised but with no luck.

Also yes I can see the logs in elasticsearch and most of the visualizations are ok, only the ones I've mentioned.

image
image1869×350 52 KB

I can see that other people having same issue here:

Any help in this?

Regards,

#6

Okay, I see. Maybe the built-in dashboards are buggy, or maybe there is a bug in the winlogbeat collection of data. I think asking in the Beats forum like the one you posted will be the right place to look for help.

#7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.