Unable to create kibana index patterns

I installed the open distro with minimal changes to config files on an aws linux instance. On our windows app server I set up filebeat to feed multiple app logs into logstash and that has been running for several weeks. I’m now trying to add logstash on the app server to process a different log, and I use lumberjack to send it over to the elk server. That all seems to be working. I can see the new index just fine in dev tools console. I have a file output that also verifies the data is arriving.

So I’m logged into kibana as admin, and working in the private tenant. When I try to add an index pattern, it doesn’t see the new index. In fact, though there is an index pattern defined and I can use it fine, I can’t recreate it as it doesn’t see any index. If I switch out to the global tenant, it too can see everything via dev tools, but sees nothing when I try to create an index pattern. I can also see the indices listed on the index management page.

I don’t think I made any changes to elasticsearch or kibana once the filebeat inputs started. I added the second logstash input which required turning on ssl as required by lumberjack.

What would cause the admin user to not be able to see the indicies? I’m using the rpm version 1.13.2-1 of oss and 7.10.2-1 of logstash.



That’s a weird one. Something tells me this has something to do with permissions. Anything limiting there?

I see it is a problem with wildcard matching in the search. The minimum string that works is the name prefix up to the first “.” contained in the index name. So “filebeat-7.*” works, as does “filebeat-7.1*”, but “filebeat-7*” does not.

That’s kinda gnarly. I wonder if this exists in OpenSearch… :face_with_monocle: