in the (new) sidecar Overview you see on the button “Show received messages” next to a Sidecar (lets say System1). If i click on this I get no messages.
But if I search for messages with source:system1 I get all the messages I would expect.
What am I doing wrong here?
Graylog is 3.0.1
ES is 6.7.1
Systems1 is Windows 7 with winlogbeat enabled.
Ok, I found out:
The button creates the search query:
But there is no field gl2_source_collector.
The name of the field with this value is winlogbeat_gl2_source_collector
Thanks in advance,