-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Auditbeat] Host Overview dashboard #10160
Conversation
Pinging @elastic/secops |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love the looks of the dashboard.
Perhaps more useful than avg uptime would be Bottom N uptimes (most recent reboots)?
I've discovered a big worry about canonical fields for strings not being keyword indexed, but this is out of the scope of this new dashboard. Let's look into that next week.
"enabled": true, | ||
"id": "1", | ||
"params": { | ||
"field": "system.audit.host.id.keyword" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, the canonical fields are not keyword
datatype? Is this a fact across Auditbeat?
In ECS, we're flipping the ES convention around. Virtually all textual fields are keyword
, and if full text search is needed, a multi-field named .text
should be added. To take this field for example, I would have expected system.audit.host.id
== keyword
and system.audit.host.id.text
== text
.
I thought the ECS convention (at least the canonical fields being keyword
) was already in place across all beats, but it seems like it's not the case here.
@cwurm Do you know how widely multi-field is used for the keyword indexing, in Auditbeat?
cc @ruflin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My mistake. For some reason, I did not have the proper template loaded. I've loaded it now and updated the field references. Thanks for catching it.
The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy we caught that template problem :-)
LGTM
Based on the screenshot I think the dashboard name needs to be swapped around. I think the convention dictates that it should be |
I've opened #10511 for a System Overview dashboard containing data from all datasets. So closing this for now, unless we decide to go with individual dashboards after all. |
Adds a Host Overview dashboard for data from the
host
dataset: