Beats: Saved `field` parameter is now invalid.

Kibana working fine with packetbeat version 6.2.2 (amd64), libbeat 6.2.2

Hey team,

not sure if this is the right ticket to attach to, but I got the same issue with Filebeat and Kibana. Almost all visualisations except some, loose their mapped field. One solution, which is relativly time consuming is to set the "field" in the visualisations oneself.

Versions: Debian Stretch (4.13); Elasticsearch 6.2.4; Logstash 6.2.4; Kibana 6.2.4; Filebeat 6.2.4

I have exactly the same problem with Ubuntu 16.04.4 LTS , and Elasticsearch / Logstash / Kibana/ Filebeat all 6.2.4

+1

I finally got to investigate it and I can reproduce it. This discuss thread might have some interesting pointers from @Stacey-Gammon https://discuss.elastic.co/t/saved-field-parameter-is-now-invalid-please-select-a-new-field-visualize-field-is-a-required-parameter/70034/22 and here are the related Github issues:

• https://github.com/elastic/kibana/issues/9466
• https://github.com/elastic/elasticsearch/issues/22438

I just tried to reproduce this again. This time with packetbeat 7.0, es/kb 7.0 and packetbeat 7.0, es/kb 6.3 but in both cases I didn't see the error anymore. As I used the same setup before I'm not sure what changed :-(

Can this happen due to not enabling (File)Beat to sending logs directly to Elasticsearch?
Im currently using the example Logstash filter, to parse the modules output to Elasticsearch. To actually install the dashboards, I installed Filebeat on the ELK server and run the setup routine from there (elasticsearch and kibana in my installation are only listening on localhost).
After I changed the index id for the visualisations, I had to manually change the field mappings, because the actual values where not in the mapped 'field', but in 'field.keyword'.

@oaten-cracker Could you share an example event? I'm curious to see how field.keyword looks in the events.

Issue has not been updated for 6+ months. Closing. If issue persists in newer versions we can re-open.