Troubleshooting: Queries fail after Upgrading Beats Log Shippers
Affects:
Filebeat™ version(s) all
Winlogbeat™ version(s) all
Metricbeat™ version(s) all
Packetbeat™ version(s) all
Condition or Error
After upgrading Beats, saved queries no longer return data
Data in logs shipped by Beats no longer shows up in queries
Dashboards show empty data or zero values
After upgrading Beats, for example between Winlogbeat 6.x and Winlogbeat 7.x queries and saved queries no longer return data.
Causes
Beats changed the format and name of the some of the fields used when they ship logs to LogScale. These changes affect a number of specific log files and types. Many field names for specific log files have changed, which will alter the field names when they are searched and indexed within LogScale.
Solutions
Existing queries, saved searches and dashboards will need to be updated according to the changes within the Beats software.
For more information on the upgrade process: