beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

Filebeat data not visible under Discover tab

Open harshitgupta-qasource opened this issue 2 months ago • 7 comments

Kibana Build details:

VERSION: 9.2.0 BC2
BUILD: 91433
COMMIT: 7d37e7bee2457c29e10fde5531500b29bcdcc9d5

Artifact Link: https://staging.elastic.co/9.2.0-0276828a/downloads/beats/filebeat/filebeat-9.2.0-windows-x86_64.zip

Preconditions:

  1. 9.2.0 BC2 Kibana cloud environment should be available.

Steps to reproduce:

  1. Update cloud id and cloud auth for Filebeat under filebeat.yml.
  2. Now, enable system module using this command filebeat modules enable threatintel.
  3. Navigate to 'modules.d/threatintel.yml' and set all false value to true.
  4. Save the file.
  5. Now run: filebeat setup -e for setup assests.
  6. Observe Dashboards are successfully loaded.
  7. Then start filebeat using this command sudo service filebeat start
  8. Navigate to kibana > Discover Tab > Filebeat
  9. Observe no data under Discover tab is displayed for Agents.

Expected Result: Filebeat logs should be installed successfully and visible under the Discover tab.

Actual Result

No data is displayed in Discover for Filebeat index even after successful setup and service start.

Logs

Filebeat configuration file of modules directory

Screenshot

Image

harshitgupta-qasource avatar Oct 07 '25 10:10 harshitgupta-qasource

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine avatar Oct 07 '25 10:10 elasticmachine

@amolnater-qasource Kindly review

harshitgupta-qasource avatar Oct 07 '25 10:10 harshitgupta-qasource

Secondary review for this ticket is Done. FYI @pierrehilbert

amolnater-qasource avatar Oct 07 '25 10:10 amolnater-qasource

Hey, Could it be similar to https://github.com/elastic/beats/issues/45516?

pierrehilbert avatar Oct 16 '25 13:10 pierrehilbert

Hi @pierrehilbert

Thanks for looking into this issue.

Could it be similar to https://github.com/elastic/beats/issues/45516?

We have attempted to reproduce the above issue. However, in their case, running the command .\filebeat.exe setup -e displays an error in the command prompt logs. In our case, we executed the command .\filebeat.exe setup (without the -e flag), which ran successfully. After that, the dashboard loaded correctly, and we started the service using Start-Service filebeat.

Despite the successful setup, dashboard load, and service start, we observed that no data is displayed in Discover for Filebeat.

Screenshot

Image Image

Please let us know if anything else is required from our end. Thanks

harshitgupta-qasource avatar Oct 17 '25 08:10 harshitgupta-qasource

Am I understanding this correctly? the application issues a warning, and the script chose "Do not run" as the follow on option - correct?

nimarezainia avatar Dec 10 '25 02:12 nimarezainia

Hi @nimarezainia

the application issues a warning, and the script chose "Do not run" as the follow on option - correct?

All the steps for installation as shared under https://github.com/elastic/beats/issues/46958#issue-3490800428 are executed successfully without any errors. However, No data is visible under the Discover Tab.

Please let us know if we are missing anything here. Thanks

harshitgupta-qasource avatar Dec 11 '25 05:12 harshitgupta-qasource