Troubleshooting: Queries fail after Upgrading Beats Log Shippers

Product/Components Affected

Affected Humio Versions

Humio, Filebeat, Winlogbeat, Metricbeat, Packetbeat

all

Issue

Symptoms

  • After upgrading Beats, saved queries no longer return data

  • Data in logs shipped by Beats no longer shows up in queries

  • Dashboards show empty data or zero values

After upgrading Beats, for example between Winlogbeat 6.x and Winlogbeat 7.x queries and saved queries no longer return data.

Cause

Beats changed the format and name of the some of the fields used when they ship logs to Humio. These changes affect a number of specific log files and types. Many field names for specific log files have changed, which will alter the field names when they are searched and indexed within Humio.

Solution

Existing queries, saved searches and dashboards will need to be updated according to the changes within the Beats software.

For more information on the upgrade process: