Could not locate that index-pattern (id: logstash-*) about kts6 HOT 19 OPEN

The default index, logstash-, was created and selected prior to opening the dashboard. I re-loaded the templates (./load.sh) to reinitialize and was required to reset the default index, which I did, to the same, logstash-

The same error, 'Could not locate that index-pattern (id: logstash-*), click here to re-create it
' is still reported after the above.

I then recreated the logstash-* index (it says "click here to recreate" in the dashboard even though there is no place to click here) and that did not work.

from kts6.

While adding the 'logstash-' index I selected 'Advanced Options' (in the 2nd step where the time filter is added) and entered 'logstash-' into the Custom Index Pattern.

from kts6.

from kts6.

There is not much of a background. Selected a KTS6 dashboard, e.g. SN-ALL, and the error is visible in several panels. Same result in other dashboards.

Again, the 'logstash-*' index shows results in the the Discover tab so it is unclear why these dashboards are producing an error stating that they could not locate the same index pattern that is selected in the Discover tab.

from kts6.

from kts6.

What is your default index in Kibana?

from kts6.

As noted above, it is:
logstash-*

from kts6.

Which ELK stack are you using ?
I am not sure i understand - you mention the default index is already set logstash-* , but Kibana can not find it? sounds strange.

from kts6.

6.3.2. As noted above, the Discover tab in Kibana shows documents indexed under the 'logstash-*' index. It is the dashboards that are producing the error.

from kts6.

from kts6.

Given that the KTS6 templates are being loaded, and there is only a master branch and no tags in this repository, does it matter which version of Kibana 6 I'm running? Also, it is actually Kibana version 6.2.3 as there is a typo in my previous reply.

I'm using the following commit of KTS6:
commit a8c8ff8
Author: Peter Manev [email protected]
Date: Fri Nov 9 04:13:38 2018 -0800

dashboards: Adjust time span for SN-TLS to the default "now-24hr"

Were there changes between that commit and the latest which may have affected the issue?

I would prefer not to upgrade to 6.4 and 6.5 because that then requires upgrades to shippers such as filebeat, Is there a change between 6.2 and 6.4/5 that would affect the issue?

from kts6.

Thank you for confirming - i wanted to make sure you are on the latest commit.

I tried to reproduce your issue on Kibana 6.5 - and could not. I have not tested import on every single Kibana version from 6.x.x to the current 6.5 but have not experienced or am aware of similar err like you are getting on 6.3/4.x - hence suspecting it may be related to the Kibana version or something with the set up.

Is there anything specific to your set up? (or is it similar to the one in SELKS - ELK stack on the same machine etc...)

from kts6.

Adding onto that - KTS6 would most likely need some logstash template like that here - https://github.com/StamusNetworks/SELKS/blob/SELKS5/staging/etc/logstash/conf.d/logstash.conf

from kts6.

Upgrading to 6.4.2 resolved the issue. Thank you. Your suggestions were helpful in resolving the issue.

from kts6.

The root cause of the issue was not the Kibana version (although it may be related but I did not retest on the previous version) but rather that the 'Custom Index Pattern' under advanced options when creating the 'logstash-' index also needs to be set as 'logstash-.' Otherwise a UUID will be created for the index resulting in the dashboards not recognizing the index.

Please update the README file because the documentation only states, "You would need to select logstash-* as a default index once you open any dashboard for the first time after initial load/import.", and does not state that it also needs to be set in the advanced options during index creation.

from kts6.

Can you please list the exact steps you followed to make it work in your set up ?

from kts6.

I just ran into this issue, not sure I fully understand what @alphaDev23 did to resolve the issue.

I used the load.sh per the instructions, I see the list in kibana, when I attempt to select logstash-* per the installation instructions, I receive the following message in a toast lower right corner.

Saved object is missing

Could not locate that index-pattern (id: index-patternlogstash-), click here to re-create it

I click re-create it, and nothing happens.

from kts6.

from kts6.

This was user error on my part... I am new to the ELK stack, the sincedb piece is what was causing me issues... I imported your templates after ensuring logstash parsed correctly and created the indexes in elasticsearch... after this, I was able to select the default index per your instructions.... in my scenario, I did not have the underlying indexes/data correct and is what caused my issue.

from kts6.