Now from within Kibana when I go to the winlogbeat dashboard I see this message on the top and the main window doesn't show as much info as I am use to in the past with previous versions.
"Visualize: Fielddata is disabled on text fields by default. Set fielddata=true on [log_name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."
Not sure if this is related but I believe I need to load the template manually if I am using LS (which I am)
Yes, that error would occur if the template is not loaded. So follow the instructions from that link to load the template
You should probably stop Winlogbeat first, delete the registry file (C:/ProgramData/winlogbeat/registry IIRC), delete the winlobeat-* indices from ES, install the template, restart Winlogbeat.
Yes thanks.
I ran this command from within powershell and then deleted index winlogbeat* and also stopped winlogbeat service and then .winlogbeat.yml file and then started service and now its working thanks.
Just 1 more Q, I heard that winlogbeat dashboard in v5.x was much better than those supplied in 2.x but they look the same to me?
The example dashboard is the same, but the underlying data provided by Winlogbeat 5 is more rich which can enable you to create some great dashboards or alerts yourself. The data from v5 contains the raw parameters used by the application when it created the event log record. This data is found in event_data.*. Previously in v1, you would have had to grok the message field to extract this data before you could make use of it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.