Issue with dashboards missing "keyword"

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

BSD 3-Clause "New" or "Revised" License

2.35k stars 371 forks source link

Issue with dashboards missing "keyword" #266

Closed oribit closed 2 years ago

oribit commented 2 years ago

Not sure if something specific of my deployment in AWS. But using Debian 11 and 2.0 BETA6, almost all dashboards doesn't work due a weird "issue" with the name of the fields. It seems the fields associated to the dashboards are named without "keyword": Screen Shot 2022-07-01 at 2 04 55 AM

Changing the field used to the same named but with "keyword" at the end, fixes the problem.

MarcOverIP commented 2 years ago

I believe this happens when there is no data yet in ES. Might that be the case for you?

oribit commented 2 years ago

Yes, indeed that was exactly the case. There case a misconfiguration in our deployment and data was not ingested, so the first thought was this error that I fixed manually, so I can't say if this would be gone if the data ingestion works. I'll try to test it again with a clean installation. I'm going to close it, because it seems it could be our initial deployment. I'll open again if we face it again. Thanks!