Fixed Filebeat ECS dashboards #11520
Conversation
| @@ -28,7 +28,7 @@ | |||
| "id": "1", | |||
| "params": { | |||
| "customLabel": "Query time", | |||
| "field": "mysql.slowlog.query_time.sec" | |||
| "field": "event.duration" | |||
There was a problem hiding this comment.
This one changes the unit, so it's not a 1-1 mapping. We should follow up to see if the dashboard still looks as expected.
| @@ -40,7 +40,7 @@ | |||
| "enabled": true, | |||
| "id": "3", | |||
| "params": { | |||
| "field": "nginx.access.remote_ip", | |||
| "field": "source.address", | |||
There was a problem hiding this comment.
I can't find this on in our ecs migration list. Seems like we missed this one.
There was a problem hiding this comment.
This was the main reason for #11512. You'll see it when it's backported ;-)
|
I wonder why these didn't get properly renamed. Perhaps we touched these after the rename? |
|
@EthanStrider Thanks for the fix and digging into this. Will forward port it to master. |
|
Thanks! |
|
Yep, also merged this one and will backport to 7.0 now. Let me know if you find any other broken dashboards. |
(cherry picked from commit 32e6378)
| @@ -2,6 +2,7 @@ | |||
| [frame="topbot",options="header"] | |||
| |====================== | |||
| |Old Field|New Field | |||
| |`auditd.message_type` |`event.type` | |||
There was a problem hiding this comment.
@webmat Do we need to revert this change?
| @@ -12,7 +13,6 @@ | |||
| |`docker.container.image` |`container.image.name` | |||
| |`docker.container.labels` |`container.labels` | |||
| |`docker.container.name` |`container.name` | |||
| |`event.type` |`auditd.message_type` | |||
There was a problem hiding this comment.
This needs to be put back as it was. event.type is reserved and should not be used in 7.0
No description provided.