Show Messages in (new) Sidecar Overview

(Dietmar Schurr) #1

Hello,
in the (new) sidecar Overview you see on the button “Show received messages” next to a Sidecar (lets say System1). If i click on this I get no messages.
But if I search for messages with source:system1 I get all the messages I would expect.

What am I doing wrong here?
Graylog is 3.0.1
ES is 6.7.1
Systems1 is Windows 7 with winlogbeat enabled.

Ok, I found out:
The button creates the search query:
gl2_source_collector:e85f470e-2ae6-4d34-bee6-139ae82de70a
But there is no field gl2_source_collector.
The name of the field with this value is winlogbeat_gl2_source_collector

Thanks in advance,

Dietmar

0 Likes

(Jan Doberstein) #2

you see this because you have not checked the following in the new beats input:

grafik

The link in the button assumes that the field gl2_source_collector is given - as you do not have that, it does not work. You could correct that field name with a processing pipeline or make the tick above on the input.

0 Likes

(Dietmar Schurr) #3

Hello Jan,

thanks a lot. This is the solution!

Regards,

Dietmar

0 Likes