When running .\winlogbeat-7.8.1-windows-x86_64\winlogbeat.exe export index-pattern I'm getting the following error:
Error generating Index Pattern: field <user.domain> is duplicated.
I verified that this error goes all the way back to 7.4.0 (7.3.2 works).
Is there a work-around? I'm guessing I can remove one of the entries from fields.yml, but I'm not sure which.
@JohnLyman, I have downloaded the 7.8.1 and ran the same cmd line but I was able to generate the index pattern, are there any previous steps you have taken before launching this cmd? @adrisr are you familiar with an issue as this?
This is really weird because as far as I could test, Beats use the fields built into the binary, not the fields.yml file.
I don't have this problem neither with the default nor with the OSS 7.8.1 distributions just downloaded from our page.
Where did you get that binary from?
Can you check the SHA256 sum of the winlogbeat.exe? I tested with:
51b16d6188ece0890e2481c969c94d666230a2a6d563e53ce96b18a8e7f6f61f winlogbeat.exe
9043034f59b81fdf42381172b68f8b92ac8ac3ee3c50ec8d34dec2413f331adb (oss) winlogbeat.exe
Also share your config, although I don't think config influences this.
No, I just downloaded the zip and ran that command. I did run with -c beats.yml.
Here's what that looks lie:
migration.6_to_7.enabled: true
setup.ilm.enabled: false
setup.kibana.host: "https://kibana:5601"
setup.kibana.username: "elastic"
setup.kibana.password: "REDACTED"
setup.kibana.ssl.enabled: true
output.elasticsearch.hosts: "https://elastic"
output.elasticsearch.username: "elastic"
output.elasticsearch.password: "REDACTED"
output.elasticsearch.ssl.enabled: true
output.elasticsearch.enabled: true
logging.level: debug
winlogbeat:
event_logs:
- name: Application
- name: Security
- name: System
Maybe migration.6_to_7.enabled: true is the key.
Right, I can reproduce with:
winlogbeat export index-pattern -E migration.6_to_7.enabled=true
I will create an issue.
What about this?
Yes, here's the issue: https://github.com/elastic/beats/issues/20521
And the fix PR: https://github.com/elastic/beats/pull/20540
Unfortunately I can't think of a quick workaround for you, other than building a new Winlogbeat binary with the change to winlogbeat/_meta/fields.common.yml from the above PR.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.