Hello,
in the (new) sidecar Overview you see on the button “Show received messages” next to a Sidecar (lets say System1). If i click on this I get no messages.
But if I search for messages with source:system1 I get all the messages I would expect.
What am I doing wrong here?
Graylog is 3.0.1
ES is 6.7.1
Systems1 is Windows 7 with winlogbeat enabled.
Ok, I found out:
The button creates the search query: gl2_source_collector:e85f470e-2ae6-4d34-bee6-139ae82de70a
But there is no field gl2_source_collector.
The name of the field with this value is winlogbeat_gl2_source_collector
you see this because you have not checked the following in the new beats input:
The link in the button assumes that the field gl2_source_collector is given - as you do not have that, it does not work. You could correct that field name with a processing pipeline or make the tick above on the input.