Add a note to refresh the index pattern before visualizing the data #2726
Conversation
| @@ -102,6 +102,10 @@ predefined +{beatname_lc}-*+ index pattern and set it as the default. | |||
|
|
|||
| image:./images/kibana-created-indexes.png[Kibana configured indexes] | |||
|
|
|||
| NOTE: After importing the index-pattern in Kibana, you need to refresh each index-pattern in Kibana in order to update | |||
There was a problem hiding this comment.
In most cases probably directly after the import the refresh will not help as not much data is in the index yet. Only over time these fields will show up and as far as I understand every time a new dict with fields inside is added, the refresh is needed. Perhaps we should put this under the FAQ in something like "Fields show up a nested JSON in Kibana"?
There was a problem hiding this comment.
@monicasarbu I think this note will be confusing to new users. It would be better, as @ruflin suggests, to describe how the problem affects the user (what they see when they try to visualize the data) and how to fix the problem. I'd suggest having a short note here and then pointing off to an FAQ topic for more detail (in the FAQ topic, you could have a more detailed example of the problem).
BTW, when you say that they need to refresh the index pattern, do you mean that they need to do this: https://www.elastic.co/guide/en/kibana/current/settings.html#reload-fields? If so, a pointer to the Kibana doc about this would be useful.
There was a problem hiding this comment.
@ruflin The section about loading the dashboards comes after the user has data in Elasticsearch as the previous section is "Starting Packetbeat", if the user follows the Getting started guide step by step. This is tricky as anytime, new keys can appear after you refreshed already the index-pattern.
I think adding a question under FAQ is a good idea.
There was a problem hiding this comment.
@dedemorton yes. I am referring to the indices refresh from Kibana. As suggested I also added to FAQ.
b75fb04 to
43bf40b
Compare
43bf40b to
8a456e9
Compare
|
Based on the feedback from @ruflin @dedemorton, I am adding only a section under FAQ with the solution for nested objected under Discovery, and don't add anything in the importing dashboards section as the user might get confused at this early stage. |
* Clarify instructions for running configtest * Add to FAQ the solution for having nested JSON objects under Discovery (#2726) * docs: Fix broken Kibana doc link in faq (#2837) The Kibana docs overhaul for 5.0+ changed the link to the index pattern field refresh instructions. * Use variable for filepath plus some light edits (#2838)
* Clarify instructions for running configtest * Add to FAQ the solution for having nested JSON objects under Discovery (elastic#2726) * docs: Fix broken Kibana doc link in faq (elastic#2837) The Kibana docs overhaul for 5.0+ changed the link to the index pattern field refresh instructions. * Use variable for filepath plus some light edits (elastic#2838)
Packetbeat uses a few fields in the event of type
dict. The problem appears as the Beat doesn't always know the keys that a dictionary field might contain, so it's not able to define them in advance.Let's consider as an example
http.request.headers, that has the typedict. After importing the index-pattern in Kibana, the Discovery page in Kibana looks like:After you refresh the
packetbeat-*index pattern, then all the keys are updated and the Discovery page looks like:where a field is created in the
packetbeat-*index pattern for each key available in the dictionary.cc-ed @dedemorton