Troubleshooting: Queries fail after Upgrading Beats Log Shippers

Affects:

Condition or Error

After upgrading Beats, saved queries no longer return data

Data in logs shipped by Beats no longer shows up in queries

Dashboards show empty data or zero values

After upgrading Beats, for example between Winlogbeat 6.x and Winlogbeat 7.x queries and saved queries no longer return data.

Causes

Beats changed the format and name of the some of the fields used when they ship logs to LogScale. These changes affect a number of specific log files and types. Many field names for specific log files have changed, which will alter the field names when they are searched and indexed within LogScale.

Solutions

Existing queries, saved searches and dashboards will need to be updated according to the changes within the Beats software.
For more information on the upgrade process:
- Beats Platform: Upgrade from 6.x to 7.x
- Release Notes Breaking Changes