Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Hi guys, I have accidentally deleted all the elasticsearch data,

[image: Inline image 1]

And Now the kibana dashboard is gone.

[image: Inline image 2]

Am I completely fu**d here or can I still do something to bring it back.

Re: Kibana dashboard gone

[Laurens Vets <la...@daemon.be>]

pcap-service is "Not monitored". Shouldn't that be "Running"? 

Anyways, maybe it's best to start again :) 

On 2017-11-14 21:48, Syed Hammad Tahir wrote:

> Still facing this issue. Sensor stub is up and running but cant see anything in kibana
> 
> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Nope, no exceptions here 
> 
> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <mi...@gmail.com> wrote:
> 
> Er, look under the Metron service. 
> 
> Also, now that I think about it, I don't think deleting the indexes will remove the templates. I'd look in your Storm logs for the indexing topology to see if there are any exceptions being thrown. 
> 
> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Anyway, cant re-deploy ES templates as I see this 
> 
> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Explicit mappings? 
> 
> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <mi...@gmail.com> wrote:
> 
> You should also re-deploy the Elasticsearch templates - Go to ES in Ambari -> Service Actions -> Install Templates. ES will automagically map things, but it might cause problems without our explicit mappings. 
> 
> Cheers, 
> M 
> 
> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Did that, but I cant see the sensor stub data coming to dashboard although the sensor stubs are up and running. Does it have something to do with the deleted indices from elastic search? 
> 
> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com> wrote:
> 
> In that case, then as Mike said, you can do that from Ambari via the service actions -> deploy the kibana dashboard. 
> 
> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> I dont need to replay anything, I just need the kibana dashboard back so I can feed the snort logs from scratch. 
> 
> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <mi...@gmail.com> wrote:
> 
> If you just need the dashboard, go to the Kibana service in Ambari, click on Service Actions and choose the option to deploy the Kibana Dashboard. If you need to recover all of your index data, you might look at this [1]. Another option, if you're able in this environment, is to replay all the data from Kafka. Restart your indexing topology with the option for kafka.start set to EARLIEST in elasticsearch.properties. Be careful with this if you have a lot of data as it will replay *everything* in your indexing topic. 
> 
> elasticsearch.properties 
> ... 
> 
> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST 
> kafka.start=UNCOMMITTED_EARLIEST 
> ... 
> 
> 1. https://stackoverflow.com/questions/36573257/recover-accidentally-deleted-index-without-snapshot [1] 
> 
> Best, 
> Mike Miklavcic 
> 
> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Help guys . 
> 
> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <ms...@itu.edu.pk> wrote:
> 
> Hi guys, I have accidentally deleted all the elasticsearch data,
> 
> And Now the kibana dashboard is gone.
> 
> Am I completely fu**d here or can I still do something to bring it back.
 

Links:
------
[1]
https://stackoverflow.com/questions/36573257/recover-accidentally-deleted-index-without-snapshot

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Yes I was thinking about same however, I thought there might be another
graceful way to get out of this situation

On Wed, Nov 15, 2017 at 10:19 PM, Ryan Merriman <me...@gmail.com> wrote:

> Why don't you just start over and rebuild vagrant?  You've obviously
> gotten yourself into a bad state somehow and it's probably not that
> effective for us to try and get you out of it over the user discussion list.
>
> Ryan
>
> On Wed, Nov 15, 2017 at 10:29 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Anything I could do here?
>>
>> On Wed, Nov 15, 2017 at 4:44 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>>
>>> This is what I get when I run sudo head -n 100 snort.out  |
>>> /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh
>>> --broker-list node1:6667 --topic snort
>>>
>>>
>>> [image: Inline image 1]
>>>
>>>
>>>
>>> On Wed, Nov 15, 2017 at 4:34 PM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>>> > wrote:
>>>
>>>> I am not sure as well. When I do kafka topic list then all the topics
>>>> are listing as usual. When I start a sensor stub from monit then I am
>>>> unable to see any data in kafka consumer on any given topic.
>>>>
>>>> On Wed, Nov 15, 2017 at 12:37 PM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> But also, you might consider deleting your queues and recreating them
>>>>> again bc I'm not clear on the implications of deleting from the local file
>>>>> system. Kafka might not like that much, but I'm honestly not sure.
>>>>>
>>>>> On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> Can you walk through checking your queues from parsers, to
>>>>>> enrichment, to indexing? Also look into your logs for each step as well. We
>>>>>> need to find where the data is getting hung up before we figure out what to
>>>>>> do about it.
>>>>>>
>>>>>> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>> wrote:
>>>>>>
>>>>>>> I just deleted data from /data1/kafka-logs .
>>>>>>>
>>>>>>> I didnt delete the kafka topics or anything. WHat should I do now?
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>
>>>>>>>> Yeah, don't delete the queues! Recreate those and I think you
>>>>>>>> should start to see data again in ES.
>>>>>>>>
>>>>>>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Here is what my indices look like in ES:
>>>>>>>>>
>>>>>>>>> [image: Inline image 1]
>>>>>>>>>
>>>>>>>>> [image: Inline image 2]
>>>>>>>>>
>>>>>>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>>>>>>> existing queues earlier though. THought that it was just data that was
>>>>>>>>> pushed earlier.
>>>>>>>>>
>>>>>>>>> [image: Inline image 3]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> What do your indexes look like? Do they exist? Do they have data?
>>>>>>>>>> How about the "indexing" Kafka queue, is it continuing to grow with new
>>>>>>>>>> records?
>>>>>>>>>>
>>>>>>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Still facing this issue. Sensor stub is up and running but cant
>>>>>>>>>>> see anything in kibana
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Nope, no exceptions here
>>>>>>>>>>>>
>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Er, look under the Metron service.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, now that I think about it, I don't think deleting the
>>>>>>>>>>>>> indexes will remove the templates. I'd look in your Storm logs for the
>>>>>>>>>>>>> indexing topology to see if there are any exceptions being thrown.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Explicit mappings?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go
>>>>>>>>>>>>>>>> to ES in Ambari -> Service Actions -> Install Templates. ES will
>>>>>>>>>>>>>>>> automagically map things, but it might cause problems without our explicit
>>>>>>>>>>>>>>>> mappings.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>> M
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> In that case, then as Mike said, you can do that from
>>>>>>>>>>>>>>>>>> Ambari via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana
>>>>>>>>>>>>>>>>>>>> service in Ambari, click on Service Actions and choose the option to deploy
>>>>>>>>>>>>>>>>>>>> the Kibana Dashboard. If you need to recover all of your index data, you
>>>>>>>>>>>>>>>>>>>> might look at this [1]. Another option, if you're able in this environment,
>>>>>>>>>>>>>>>>>>>> is to replay all the data from Kafka. Restart your indexing topology with
>>>>>>>>>>>>>>>>>>>> the option for kafka.start set to EARLIEST in elasticsearch.properties. Be
>>>>>>>>>>>>>>>>>>>> careful with this if you have a lot of data as it will replay *everything*
>>>>>>>>>>>>>>>>>>>> in your indexing topic.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 1. https://stackoverflow.com/q
>>>>>>>>>>>>>>>>>>>> uestions/36573257/recover-acci
>>>>>>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the
>>>>>>>>>>>>>>>>>>>>>> elasticsearch data,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do
>>>>>>>>>>>>>>>>>>>>>> something to bring it back.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Ryan Merriman <me...@gmail.com>]

Why don't you just start over and rebuild vagrant?  You've obviously gotten
yourself into a bad state somehow and it's probably not that effective for
us to try and get you out of it over the user discussion list.

Ryan

On Wed, Nov 15, 2017 at 10:29 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Anything I could do here?
>
> On Wed, Nov 15, 2017 at 4:44 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>>
>> This is what I get when I run sudo head -n 100 snort.out  |
>> /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh
>> --broker-list node1:6667 --topic snort
>>
>>
>> [image: Inline image 1]
>>
>>
>>
>> On Wed, Nov 15, 2017 at 4:34 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>> I am not sure as well. When I do kafka topic list then all the topics
>>> are listing as usual. When I start a sensor stub from monit then I am
>>> unable to see any data in kafka consumer on any given topic.
>>>
>>> On Wed, Nov 15, 2017 at 12:37 PM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> But also, you might consider deleting your queues and recreating them
>>>> again bc I'm not clear on the implications of deleting from the local file
>>>> system. Kafka might not like that much, but I'm honestly not sure.
>>>>
>>>> On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> Can you walk through checking your queues from parsers, to enrichment,
>>>>> to indexing? Also look into your logs for each step as well. We need to
>>>>> find where the data is getting hung up before we figure out what to do
>>>>> about it.
>>>>>
>>>>> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>> wrote:
>>>>>
>>>>>> I just deleted data from /data1/kafka-logs .
>>>>>>
>>>>>> I didnt delete the kafka topics or anything. WHat should I do now?
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>
>>>>>>> Yeah, don't delete the queues! Recreate those and I think you should
>>>>>>> start to see data again in ES.
>>>>>>>
>>>>>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Here is what my indices look like in ES:
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> [image: Inline image 2]
>>>>>>>>
>>>>>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>>>>>> existing queues earlier though. THought that it was just data that was
>>>>>>>> pushed earlier.
>>>>>>>>
>>>>>>>> [image: Inline image 3]
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> What do your indexes look like? Do they exist? Do they have data?
>>>>>>>>> How about the "indexing" Kafka queue, is it continuing to grow with new
>>>>>>>>> records?
>>>>>>>>>
>>>>>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Still facing this issue. Sensor stub is up and running but cant
>>>>>>>>>> see anything in kibana
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Nope, no exceptions here
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Er, look under the Metron service.
>>>>>>>>>>>>
>>>>>>>>>>>> Also, now that I think about it, I don't think deleting the
>>>>>>>>>>>> indexes will remove the templates. I'd look in your Storm logs for the
>>>>>>>>>>>> indexing topology to see if there are any exceptions being thrown.
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>>>>>
>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Explicit mappings?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go
>>>>>>>>>>>>>>> to ES in Ambari -> Service Actions -> Install Templates. ES will
>>>>>>>>>>>>>>> automagically map things, but it might cause problems without our explicit
>>>>>>>>>>>>>>> mappings.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> M
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> In that case, then as Mike said, you can do that from
>>>>>>>>>>>>>>>>> Ambari via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service
>>>>>>>>>>>>>>>>>>> in Ambari, click on Service Actions and choose the option to deploy the
>>>>>>>>>>>>>>>>>>> Kibana Dashboard. If you need to recover all of your index data, you might
>>>>>>>>>>>>>>>>>>> look at this [1]. Another option, if you're able in this environment, is to
>>>>>>>>>>>>>>>>>>> replay all the data from Kafka. Restart your indexing topology with the
>>>>>>>>>>>>>>>>>>> option for kafka.start set to EARLIEST in elasticsearch.properties. Be
>>>>>>>>>>>>>>>>>>> careful with this if you have a lot of data as it will replay *everything*
>>>>>>>>>>>>>>>>>>> in your indexing topic.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 1. https://stackoverflow.com/q
>>>>>>>>>>>>>>>>>>> uestions/36573257/recover-acci
>>>>>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the
>>>>>>>>>>>>>>>>>>>>> elasticsearch data,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something
>>>>>>>>>>>>>>>>>>>>> to bring it back.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Anything I could do here?

On Wed, Nov 15, 2017 at 4:44 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

>
> This is what I get when I run sudo head -n 100 snort.out  |
> /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list
> node1:6667 --topic snort
>
>
> [image: Inline image 1]
>
>
>
> On Wed, Nov 15, 2017 at 4:34 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> I am not sure as well. When I do kafka topic list then all the topics are
>> listing as usual. When I start a sensor stub from monit then I am unable to
>> see any data in kafka consumer on any given topic.
>>
>> On Wed, Nov 15, 2017 at 12:37 PM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> But also, you might consider deleting your queues and recreating them
>>> again bc I'm not clear on the implications of deleting from the local file
>>> system. Kafka might not like that much, but I'm honestly not sure.
>>>
>>> On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> Can you walk through checking your queues from parsers, to enrichment,
>>>> to indexing? Also look into your logs for each step as well. We need to
>>>> find where the data is getting hung up before we figure out what to do
>>>> about it.
>>>>
>>>> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>> wrote:
>>>>
>>>>> I just deleted data from /data1/kafka-logs .
>>>>>
>>>>> I didnt delete the kafka topics or anything. WHat should I do now?
>>>>>
>>>>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> Yeah, don't delete the queues! Recreate those and I think you should
>>>>>> start to see data again in ES.
>>>>>>
>>>>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>> wrote:
>>>>>>
>>>>>>> Here is what my indices look like in ES:
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> [image: Inline image 2]
>>>>>>>
>>>>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>>>>> existing queues earlier though. THought that it was just data that was
>>>>>>> pushed earlier.
>>>>>>>
>>>>>>> [image: Inline image 3]
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>
>>>>>>>> What do your indexes look like? Do they exist? Do they have data?
>>>>>>>> How about the "indexing" Kafka queue, is it continuing to grow with new
>>>>>>>> records?
>>>>>>>>
>>>>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Still facing this issue. Sensor stub is up and running but cant
>>>>>>>>> see anything in kibana
>>>>>>>>>
>>>>>>>>> [image: Inline image 1]
>>>>>>>>>
>>>>>>>>> [image: Inline image 2]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Nope, no exceptions here
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Er, look under the Metron service.
>>>>>>>>>>>
>>>>>>>>>>> Also, now that I think about it, I don't think deleting the
>>>>>>>>>>> indexes will remove the templates. I'd look in your Storm logs for the
>>>>>>>>>>> indexing topology to see if there are any exceptions being thrown.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>>>>
>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Explicit mappings?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to
>>>>>>>>>>>>>> ES in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>> M
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In that case, then as Mike said, you can do that from
>>>>>>>>>>>>>>>> Ambari via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service
>>>>>>>>>>>>>>>>>> in Ambari, click on Service Actions and choose the option to deploy the
>>>>>>>>>>>>>>>>>> Kibana Dashboard. If you need to recover all of your index data, you might
>>>>>>>>>>>>>>>>>> look at this [1]. Another option, if you're able in this environment, is to
>>>>>>>>>>>>>>>>>> replay all the data from Kafka. Restart your indexing topology with the
>>>>>>>>>>>>>>>>>> option for kafka.start set to EARLIEST in elasticsearch.properties. Be
>>>>>>>>>>>>>>>>>> careful with this if you have a lot of data as it will replay *everything*
>>>>>>>>>>>>>>>>>> in your indexing topic.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 1. https://stackoverflow.com/q
>>>>>>>>>>>>>>>>>> uestions/36573257/recover-acci
>>>>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the
>>>>>>>>>>>>>>>>>>>> elasticsearch data,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something
>>>>>>>>>>>>>>>>>>>> to bring it back.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

This is what I get when I run sudo head -n 100 snort.out  |
/usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list
node1:6667 --topic snort


[image: Inline image 1]



On Wed, Nov 15, 2017 at 4:34 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> I am not sure as well. When I do kafka topic list then all the topics are
> listing as usual. When I start a sensor stub from monit then I am unable to
> see any data in kafka consumer on any given topic.
>
> On Wed, Nov 15, 2017 at 12:37 PM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> But also, you might consider deleting your queues and recreating them
>> again bc I'm not clear on the implications of deleting from the local file
>> system. Kafka might not like that much, but I'm honestly not sure.
>>
>> On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> Can you walk through checking your queues from parsers, to enrichment,
>>> to indexing? Also look into your logs for each step as well. We need to
>>> find where the data is getting hung up before we figure out what to do
>>> about it.
>>>
>>> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>> wrote:
>>>
>>>> I just deleted data from /data1/kafka-logs .
>>>>
>>>> I didnt delete the kafka topics or anything. WHat should I do now?
>>>>
>>>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> Yeah, don't delete the queues! Recreate those and I think you should
>>>>> start to see data again in ES.
>>>>>
>>>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>> wrote:
>>>>>
>>>>>> Here is what my indices look like in ES:
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> [image: Inline image 2]
>>>>>>
>>>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>>>> existing queues earlier though. THought that it was just data that was
>>>>>> pushed earlier.
>>>>>>
>>>>>> [image: Inline image 3]
>>>>>>
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>
>>>>>>> What do your indexes look like? Do they exist? Do they have data?
>>>>>>> How about the "indexing" Kafka queue, is it continuing to grow with new
>>>>>>> records?
>>>>>>>
>>>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Still facing this issue. Sensor stub is up and running but cant see
>>>>>>>> anything in kibana
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> [image: Inline image 2]
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Nope, no exceptions here
>>>>>>>>>
>>>>>>>>> [image: Inline image 1]
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Er, look under the Metron service.
>>>>>>>>>>
>>>>>>>>>> Also, now that I think about it, I don't think deleting the
>>>>>>>>>> indexes will remove the templates. I'd look in your Storm logs for the
>>>>>>>>>> indexing topology to see if there are any exceptions being thrown.
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Explicit mappings?
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to
>>>>>>>>>>>>> ES in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> M
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari
>>>>>>>>>>>>>>> via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service
>>>>>>>>>>>>>>>>> in Ambari, click on Service Actions and choose the option to deploy the
>>>>>>>>>>>>>>>>> Kibana Dashboard. If you need to recover all of your index data, you might
>>>>>>>>>>>>>>>>> look at this [1]. Another option, if you're able in this environment, is to
>>>>>>>>>>>>>>>>> replay all the data from Kafka. Restart your indexing topology with the
>>>>>>>>>>>>>>>>> option for kafka.start set to EARLIEST in elasticsearch.properties. Be
>>>>>>>>>>>>>>>>> careful with this if you have a lot of data as it will replay *everything*
>>>>>>>>>>>>>>>>> in your indexing topic.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 1. https://stackoverflow.com/q
>>>>>>>>>>>>>>>>> uestions/36573257/recover-acci
>>>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the
>>>>>>>>>>>>>>>>>>> elasticsearch data,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something
>>>>>>>>>>>>>>>>>>> to bring it back.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

I am not sure as well. When I do kafka topic list then all the topics are
listing as usual. When I start a sensor stub from monit then I am unable to
see any data in kafka consumer on any given topic.

On Wed, Nov 15, 2017 at 12:37 PM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> But also, you might consider deleting your queues and recreating them
> again bc I'm not clear on the implications of deleting from the local file
> system. Kafka might not like that much, but I'm honestly not sure.
>
> On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <mi...@gmail.com>
> wrote:
>
>> Can you walk through checking your queues from parsers, to enrichment, to
>> indexing? Also look into your logs for each step as well. We need to find
>> where the data is getting hung up before we figure out what to do about it.
>>
>> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>> wrote:
>>
>>> I just deleted data from /data1/kafka-logs .
>>>
>>> I didnt delete the kafka topics or anything. WHat should I do now?
>>>
>>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> Yeah, don't delete the queues! Recreate those and I think you should
>>>> start to see data again in ES.
>>>>
>>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>> wrote:
>>>>
>>>>> Here is what my indices look like in ES:
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> [image: Inline image 2]
>>>>>
>>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>>> existing queues earlier though. THought that it was just data that was
>>>>> pushed earlier.
>>>>>
>>>>> [image: Inline image 3]
>>>>>
>>>>>
>>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> What do your indexes look like? Do they exist? Do they have data? How
>>>>>> about the "indexing" Kafka queue, is it continuing to grow with new records?
>>>>>>
>>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>>> wrote:
>>>>>>
>>>>>>> Still facing this issue. Sensor stub is up and running but cant see
>>>>>>> anything in kibana
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> [image: Inline image 2]
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Nope, no exceptions here
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Er, look under the Metron service.
>>>>>>>>>
>>>>>>>>> Also, now that I think about it, I don't think deleting the
>>>>>>>>> indexes will remove the templates. I'd look in your Storm logs for the
>>>>>>>>> indexing topology to see if there are any exceptions being thrown.
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Explicit mappings?
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to
>>>>>>>>>>>> ES in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> M
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari
>>>>>>>>>>>>>> via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>>>>>>> indexing topic.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 1. https://stackoverflow.com/q
>>>>>>>>>>>>>>>> uestions/36573257/recover-acci
>>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the
>>>>>>>>>>>>>>>>>> elasticsearch data,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

But also, you might consider deleting your queues and recreating them again
bc I'm not clear on the implications of deleting from the local file
system. Kafka might not like that much, but I'm honestly not sure.

On Nov 15, 2017 12:35 AM, "Michael Miklavcic" <mi...@gmail.com>
wrote:

> Can you walk through checking your queues from parsers, to enrichment, to
> indexing? Also look into your logs for each step as well. We need to find
> where the data is getting hung up before we figure out what to do about it.
>
> On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
> wrote:
>
>> I just deleted data from /data1/kafka-logs .
>>
>> I didnt delete the kafka topics or anything. WHat should I do now?
>>
>> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> Yeah, don't delete the queues! Recreate those and I think you should
>>> start to see data again in ES.
>>>
>>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>> wrote:
>>>
>>>> Here is what my indices look like in ES:
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> [image: Inline image 2]
>>>>
>>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>>> existing queues earlier though. THought that it was just data that was
>>>> pushed earlier.
>>>>
>>>> [image: Inline image 3]
>>>>
>>>>
>>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> What do your indexes look like? Do they exist? Do they have data? How
>>>>> about the "indexing" Kafka queue, is it continuing to grow with new records?
>>>>>
>>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>>> wrote:
>>>>>
>>>>>> Still facing this issue. Sensor stub is up and running but cant see
>>>>>> anything in kibana
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> [image: Inline image 2]
>>>>>>
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Nope, no exceptions here
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>
>>>>>>>> Er, look under the Metron service.
>>>>>>>>
>>>>>>>> Also, now that I think about it, I don't think deleting the indexes
>>>>>>>> will remove the templates. I'd look in your Storm logs for the indexing
>>>>>>>> topology to see if there are any exceptions being thrown.
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>>
>>>>>>>>> [image: Inline image 1]
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Explicit mappings?
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES
>>>>>>>>>>> in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> M
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari
>>>>>>>>>>>>> via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>>>>>> indexing topic.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch
>>>>>>>>>>>>>>>>> data,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

Can you walk through checking your queues from parsers, to enrichment, to
indexing? Also look into your logs for each step as well. We need to find
where the data is getting hung up before we figure out what to do about it.

On Nov 15, 2017 12:32 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk> wrote:

> I just deleted data from /data1/kafka-logs .
>
> I didnt delete the kafka topics or anything. WHat should I do now?
>
> On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> Yeah, don't delete the queues! Recreate those and I think you should
>> start to see data again in ES.
>>
>> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>> wrote:
>>
>>> Here is what my indices look like in ES:
>>>
>>> [image: Inline image 1]
>>>
>>> [image: Inline image 2]
>>>
>>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>>> existing queues earlier though. THought that it was just data that was
>>> pushed earlier.
>>>
>>> [image: Inline image 3]
>>>
>>>
>>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> What do your indexes look like? Do they exist? Do they have data? How
>>>> about the "indexing" Kafka queue, is it continuing to grow with new records?
>>>>
>>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>>> wrote:
>>>>
>>>>> Still facing this issue. Sensor stub is up and running but cant see
>>>>> anything in kibana
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> [image: Inline image 2]
>>>>>
>>>>>
>>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Nope, no exceptions here
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>
>>>>>>> Er, look under the Metron service.
>>>>>>>
>>>>>>> Also, now that I think about it, I don't think deleting the indexes
>>>>>>> will remove the templates. I'd look in your Storm logs for the indexing
>>>>>>> topology to see if there are any exceptions being thrown.
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Explicit mappings?
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES
>>>>>>>>>> in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> M
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Did that, but I cant see the sensor stub data coming to
>>>>>>>>>>> dashboard although the sensor stubs are up and running. Does it have
>>>>>>>>>>> something to do with the deleted indices from elastic search?
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari
>>>>>>>>>>>> via the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>>>>> indexing topic.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch
>>>>>>>>>>>>>>>> data,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

I just deleted data from /data1/kafka-logs .

I didnt delete the kafka topics or anything. WHat should I do now?

On Wed, Nov 15, 2017 at 12:29 PM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> Yeah, don't delete the queues! Recreate those and I think you should start
> to see data again in ES.
>
> On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
> wrote:
>
>> Here is what my indices look like in ES:
>>
>> [image: Inline image 1]
>>
>> [image: Inline image 2]
>>
>> ANd nothing is accumulating in kafka indexing queue, I deleted the
>> existing queues earlier though. THought that it was just data that was
>> pushed earlier.
>>
>> [image: Inline image 3]
>>
>>
>> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> What do your indexes look like? Do they exist? Do they have data? How
>>> about the "indexing" Kafka queue, is it continuing to grow with new records?
>>>
>>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>>> wrote:
>>>
>>>> Still facing this issue. Sensor stub is up and running but cant see
>>>> anything in kibana
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> [image: Inline image 2]
>>>>
>>>>
>>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Nope, no exceptions here
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> Er, look under the Metron service.
>>>>>>
>>>>>> Also, now that I think about it, I don't think deleting the indexes
>>>>>> will remove the templates. I'd look in your Storm logs for the indexing
>>>>>> topology to see if there are any exceptions being thrown.
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Explicit mappings?
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES
>>>>>>>>> in Ambari -> Service Actions -> Install Templates. ES will automagically
>>>>>>>>> map things, but it might cause problems without our explicit mappings.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> M
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>>>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>>>>>>> with the deleted indices from elastic search?
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <
>>>>>>>>>> cestella@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari via
>>>>>>>>>>> the service actions -> deploy the kibana dashboard.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I dont need to replay anything, I just need the kibana
>>>>>>>>>>>> dashboard back so I can feed the snort logs from scratch.
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>>>> indexing topic.
>>>>>>>>>>>>>
>>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>>> ...
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best,
>>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch
>>>>>>>>>>>>>>> data,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

Yeah, don't delete the queues! Recreate those and I think you should start
to see data again in ES.

On Nov 15, 2017 12:26 AM, "Syed Hammad Tahir" <ms...@itu.edu.pk> wrote:

> Here is what my indices look like in ES:
>
> [image: Inline image 1]
>
> [image: Inline image 2]
>
> ANd nothing is accumulating in kafka indexing queue, I deleted the
> existing queues earlier though. THought that it was just data that was
> pushed earlier.
>
> [image: Inline image 3]
>
>
> On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> What do your indexes look like? Do they exist? Do they have data? How
>> about the "indexing" Kafka queue, is it continuing to grow with new records?
>>
>> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
>> wrote:
>>
>>> Still facing this issue. Sensor stub is up and running but cant see
>>> anything in kibana
>>>
>>> [image: Inline image 1]
>>>
>>> [image: Inline image 2]
>>>
>>>
>>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>>> > wrote:
>>>
>>>> Nope, no exceptions here
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> Er, look under the Metron service.
>>>>>
>>>>> Also, now that I think about it, I don't think deleting the indexes
>>>>> will remove the templates. I'd look in your Storm logs for the indexing
>>>>> topology to see if there are any exceptions being thrown.
>>>>>
>>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Explicit mappings?
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>
>>>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>>>>>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>>>>>>> things, but it might cause problems without our explicit mappings.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> M
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>>>>>> with the deleted indices from elastic search?
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <cestella@gmail.com
>>>>>>>>> > wrote:
>>>>>>>>>
>>>>>>>>>> In that case, then as Mike said, you can do that from Ambari via
>>>>>>>>>> the service actions -> deploy the kibana dashboard.
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> I dont need to replay anything, I just need the kibana dashboard
>>>>>>>>>>> back so I can feed the snort logs from scratch.
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>>> indexing topic.
>>>>>>>>>>>>
>>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>>> ...
>>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>>> ...
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>>
>>>>>>>>>>>> Best,
>>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch
>>>>>>>>>>>>>> data,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Here is what my indices look like in ES:

[image: Inline image 1]

[image: Inline image 2]

ANd nothing is accumulating in kafka indexing queue, I deleted the existing
queues earlier though. THought that it was just data that was pushed
earlier.

[image: Inline image 3]


On Wed, Nov 15, 2017 at 11:54 AM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> What do your indexes look like? Do they exist? Do they have data? How
> about the "indexing" Kafka queue, is it continuing to grow with new records?
>
> On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk>
> wrote:
>
>> Still facing this issue. Sensor stub is up and running but cant see
>> anything in kibana
>>
>> [image: Inline image 1]
>>
>> [image: Inline image 2]
>>
>>
>> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>> Nope, no exceptions here
>>>
>>> [image: Inline image 1]
>>>
>>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> Er, look under the Metron service.
>>>>
>>>> Also, now that I think about it, I don't think deleting the indexes
>>>> will remove the templates. I'd look in your Storm logs for the indexing
>>>> topology to see if there are any exceptions being thrown.
>>>>
>>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Anyway, cant re-deploy ES templates as I see this
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Explicit mappings?
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>
>>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>>>>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>>>>>> things, but it might cause problems without our explicit mappings.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> M
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>>>>> with the deleted indices from elastic search?
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> In that case, then as Mike said, you can do that from Ambari via
>>>>>>>>> the service actions -> deploy the kibana dashboard.
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> I dont need to replay anything, I just need the kibana dashboard
>>>>>>>>>> back so I can feed the snort logs from scratch.
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>>> indexing topic.
>>>>>>>>>>>
>>>>>>>>>>> elasticsearch.properties
>>>>>>>>>>> ...
>>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>>> ...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>>
>>>>>>>>>>> Best,
>>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Help guys .
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch
>>>>>>>>>>>>> data,
>>>>>>>>>>>>>
>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>
>>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>>
>>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am I completely fu**d here or can I still do something to
>>>>>>>>>>>>> bring it back.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

What do your indexes look like? Do they exist? Do they have data? How about
the "indexing" Kafka queue, is it continuing to grow with new records?

On Nov 14, 2017 10:49 PM, "Syed Hammad Tahir" <ms...@itu.edu.pk> wrote:

> Still facing this issue. Sensor stub is up and running but cant see
> anything in kibana
>
> [image: Inline image 1]
>
> [image: Inline image 2]
>
>
> On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Nope, no exceptions here
>>
>> [image: Inline image 1]
>>
>> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> Er, look under the Metron service.
>>>
>>> Also, now that I think about it, I don't think deleting the indexes will
>>> remove the templates. I'd look in your Storm logs for the indexing topology
>>> to see if there are any exceptions being thrown.
>>>
>>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>>> > wrote:
>>>
>>>> Anyway, cant re-deploy ES templates as I see this
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Explicit mappings?
>>>>>
>>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>>>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>>>>> things, but it might cause problems without our explicit mappings.
>>>>>>
>>>>>> Cheers,
>>>>>> M
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>>>> with the deleted indices from elastic search?
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> In that case, then as Mike said, you can do that from Ambari via
>>>>>>>> the service actions -> deploy the kibana dashboard.
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> I dont need to replay anything, I just need the kibana dashboard
>>>>>>>>> back so I can feed the snort logs from scratch.
>>>>>>>>>
>>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>>> indexing topic.
>>>>>>>>>>
>>>>>>>>>> elasticsearch.properties
>>>>>>>>>> ...
>>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST,
>>>>>>>>>> UNCOMMITTED_LATEST
>>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>>
>>>>>>>>>> Best,
>>>>>>>>>> Mike Miklavcic
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Help guys .
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>>>>>>
>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>
>>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>>
>>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>>
>>>>>>>>>>>> Am I completely fu**d here or can I still do something to bring
>>>>>>>>>>>> it back.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Still facing this issue. Sensor stub is up and running but cant see
anything in kibana

[image: Inline image 1]

[image: Inline image 2]


On Wed, Nov 15, 2017 at 1:21 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Nope, no exceptions here
>
> [image: Inline image 1]
>
> On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> Er, look under the Metron service.
>>
>> Also, now that I think about it, I don't think deleting the indexes will
>> remove the templates. I'd look in your Storm logs for the indexing topology
>> to see if there are any exceptions being thrown.
>>
>> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>> Anyway, cant re-deploy ES templates as I see this
>>>
>>> [image: Inline image 1]
>>>
>>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <
>>> mscs16059@itu.edu.pk> wrote:
>>>
>>>> Explicit mappings?
>>>>
>>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>>>> things, but it might cause problems without our explicit mappings.
>>>>>
>>>>> Cheers,
>>>>> M
>>>>>
>>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>>> with the deleted indices from elastic search?
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> In that case, then as Mike said, you can do that from Ambari via the
>>>>>>> service actions -> deploy the kibana dashboard.
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> I dont need to replay anything, I just need the kibana dashboard
>>>>>>>> back so I can feed the snort logs from scratch.
>>>>>>>>
>>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> If you just need the dashboard, go to the Kibana service in
>>>>>>>>> Ambari, click on Service Actions and choose the option to deploy the Kibana
>>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>>> indexing topic.
>>>>>>>>>
>>>>>>>>> elasticsearch.properties
>>>>>>>>> ...
>>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Mike Miklavcic
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Help guys .
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>
>>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>>
>>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>>
>>>>>>>>>>> Am I completely fu**d here or can I still do something to bring
>>>>>>>>>>> it back.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Nope, no exceptions here

[image: Inline image 1]

On Wed, Nov 15, 2017 at 1:07 AM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> Er, look under the Metron service.
>
> Also, now that I think about it, I don't think deleting the indexes will
> remove the templates. I'd look in your Storm logs for the indexing topology
> to see if there are any exceptions being thrown.
>
> On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Anyway, cant re-deploy ES templates as I see this
>>
>> [image: Inline image 1]
>>
>> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>> > wrote:
>>
>>> Explicit mappings?
>>>
>>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>>> things, but it might cause problems without our explicit mappings.
>>>>
>>>> Cheers,
>>>> M
>>>>
>>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>>> although the sensor stubs are up and running. Does it have something to do
>>>>> with the deleted indices from elastic search?
>>>>>
>>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> In that case, then as Mike said, you can do that from Ambari via the
>>>>>> service actions -> deploy the kibana dashboard.
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> I dont need to replay anything, I just need the kibana dashboard
>>>>>>> back so I can feed the snort logs from scratch.
>>>>>>>
>>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>>
>>>>>>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>>>>>>> click on Service Actions and choose the option to deploy the Kibana
>>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>>> indexing topic.
>>>>>>>>
>>>>>>>> elasticsearch.properties
>>>>>>>> ...
>>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Mike Miklavcic
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Help guys .
>>>>>>>>>
>>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>>
>>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>
>>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>>
>>>>>>>>>> [image: Inline image 2]
>>>>>>>>>>
>>>>>>>>>> Am I completely fu**d here or can I still do something to bring
>>>>>>>>>> it back.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

Er, look under the Metron service.

Also, now that I think about it, I don't think deleting the indexes will
remove the templates. I'd look in your Storm logs for the indexing topology
to see if there are any exceptions being thrown.

On Tue, Nov 14, 2017 at 1:02 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Anyway, cant re-deploy ES templates as I see this
>
> [image: Inline image 1]
>
> On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Explicit mappings?
>>
>> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> You should also re-deploy the Elasticsearch templates - Go to ES in
>>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>>> things, but it might cause problems without our explicit mappings.
>>>
>>> Cheers,
>>> M
>>>
>>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <
>>> mscs16059@itu.edu.pk> wrote:
>>>
>>>> Did that, but I cant see the sensor stub data coming to dashboard
>>>> although the sensor stubs are up and running. Does it have something to do
>>>> with the deleted indices from elastic search?
>>>>
>>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>>> wrote:
>>>>
>>>>> In that case, then as Mike said, you can do that from Ambari via the
>>>>> service actions -> deploy the kibana dashboard.
>>>>>
>>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> I dont need to replay anything, I just need the kibana dashboard back
>>>>>> so I can feed the snort logs from scratch.
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>>
>>>>>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>>>>>> click on Service Actions and choose the option to deploy the Kibana
>>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>>> indexing topic.
>>>>>>>
>>>>>>> elasticsearch.properties
>>>>>>> ...
>>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>>> dentally-deleted-index-without-snapshot
>>>>>>>
>>>>>>> Best,
>>>>>>> Mike Miklavcic
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Help guys .
>>>>>>>>
>>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>>
>>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>>>
>>>>>>>>> [image: Inline image 1]
>>>>>>>>>
>>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>>
>>>>>>>>> [image: Inline image 2]
>>>>>>>>>
>>>>>>>>> Am I completely fu**d here or can I still do something to bring it
>>>>>>>>> back.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Anyway, cant re-deploy ES templates as I see this

[image: Inline image 1]

On Wed, Nov 15, 2017 at 12:59 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Explicit mappings?
>
> On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> You should also re-deploy the Elasticsearch templates - Go to ES in
>> Ambari -> Service Actions -> Install Templates. ES will automagically map
>> things, but it might cause problems without our explicit mappings.
>>
>> Cheers,
>> M
>>
>> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>> > wrote:
>>
>>> Did that, but I cant see the sensor stub data coming to dashboard
>>> although the sensor stubs are up and running. Does it have something to do
>>> with the deleted indices from elastic search?
>>>
>>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>>> wrote:
>>>
>>>> In that case, then as Mike said, you can do that from Ambari via the
>>>> service actions -> deploy the kibana dashboard.
>>>>
>>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> I dont need to replay anything, I just need the kibana dashboard back
>>>>> so I can feed the snort logs from scratch.
>>>>>
>>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>>> michael.miklavcic@gmail.com> wrote:
>>>>>
>>>>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>>>>> click on Service Actions and choose the option to deploy the Kibana
>>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>>> indexing topic.
>>>>>>
>>>>>> elasticsearch.properties
>>>>>> ...
>>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>>> dentally-deleted-index-without-snapshot
>>>>>>
>>>>>> Best,
>>>>>> Mike Miklavcic
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Help guys .
>>>>>>>
>>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>>
>>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>>
>>>>>>>> [image: Inline image 2]
>>>>>>>>
>>>>>>>> Am I completely fu**d here or can I still do something to bring it
>>>>>>>> back.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Explicit mappings?

On Wed, Nov 15, 2017 at 12:56 AM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> You should also re-deploy the Elasticsearch templates - Go to ES in Ambari
> -> Service Actions -> Install Templates. ES will automagically map things,
> but it might cause problems without our explicit mappings.
>
> Cheers,
> M
>
> On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Did that, but I cant see the sensor stub data coming to dashboard
>> although the sensor stubs are up and running. Does it have something to do
>> with the deleted indices from elastic search?
>>
>> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com>
>> wrote:
>>
>>> In that case, then as Mike said, you can do that from Ambari via the
>>> service actions -> deploy the kibana dashboard.
>>>
>>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>>> > wrote:
>>>
>>>> I dont need to replay anything, I just need the kibana dashboard back
>>>> so I can feed the snort logs from scratch.
>>>>
>>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>>> michael.miklavcic@gmail.com> wrote:
>>>>
>>>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>>>> click on Service Actions and choose the option to deploy the Kibana
>>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>>> this if you have a lot of data as it will replay *everything* in your
>>>>> indexing topic.
>>>>>
>>>>> elasticsearch.properties
>>>>> ...
>>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>>> ...
>>>>>
>>>>>
>>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>>> dentally-deleted-index-without-snapshot
>>>>>
>>>>> Best,
>>>>> Mike Miklavcic
>>>>>
>>>>>
>>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Help guys .
>>>>>>
>>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>>
>>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>>
>>>>>>> [image: Inline image 1]
>>>>>>>
>>>>>>> And Now the kibana dashboard is gone.
>>>>>>>
>>>>>>> [image: Inline image 2]
>>>>>>>
>>>>>>> Am I completely fu**d here or can I still do something to bring it
>>>>>>> back.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

You should also re-deploy the Elasticsearch templates - Go to ES in Ambari
-> Service Actions -> Install Templates. ES will automagically map things,
but it might cause problems without our explicit mappings.

Cheers,
M

On Tue, Nov 14, 2017 at 12:41 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Did that, but I cant see the sensor stub data coming to dashboard although
> the sensor stubs are up and running. Does it have something to do with the
> deleted indices from elastic search?
>
> On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com> wrote:
>
>> In that case, then as Mike said, you can do that from Ambari via the
>> service actions -> deploy the kibana dashboard.
>>
>> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>> I dont need to replay anything, I just need the kibana dashboard back so
>>> I can feed the snort logs from scratch.
>>>
>>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>>> michael.miklavcic@gmail.com> wrote:
>>>
>>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>>> click on Service Actions and choose the option to deploy the Kibana
>>>> Dashboard. If you need to recover all of your index data, you might look at
>>>> this [1]. Another option, if you're able in this environment, is to replay
>>>> all the data from Kafka. Restart your indexing topology with the option for
>>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>>> this if you have a lot of data as it will replay *everything* in your
>>>> indexing topic.
>>>>
>>>> elasticsearch.properties
>>>> ...
>>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>>> kafka.start=UNCOMMITTED_EARLIEST
>>>> ...
>>>>
>>>>
>>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>>> dentally-deleted-index-without-snapshot
>>>>
>>>> Best,
>>>> Mike Miklavcic
>>>>
>>>>
>>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Help guys .
>>>>>
>>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>>> mscs16059@itu.edu.pk> wrote:
>>>>>
>>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>> And Now the kibana dashboard is gone.
>>>>>>
>>>>>> [image: Inline image 2]
>>>>>>
>>>>>> Am I completely fu**d here or can I still do something to bring it
>>>>>> back.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Did that, but I cant see the sensor stub data coming to dashboard although
the sensor stubs are up and running. Does it have something to do with the
deleted indices from elastic search?

On Wed, Nov 15, 2017 at 12:40 AM, Casey Stella <ce...@gmail.com> wrote:

> In that case, then as Mike said, you can do that from Ambari via the
> service actions -> deploy the kibana dashboard.
>
> On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> I dont need to replay anything, I just need the kibana dashboard back so
>> I can feed the snort logs from scratch.
>>
>> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
>> michael.miklavcic@gmail.com> wrote:
>>
>>> If you just need the dashboard, go to the Kibana service in Ambari,
>>> click on Service Actions and choose the option to deploy the Kibana
>>> Dashboard. If you need to recover all of your index data, you might look at
>>> this [1]. Another option, if you're able in this environment, is to replay
>>> all the data from Kafka. Restart your indexing topology with the option for
>>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>>> this if you have a lot of data as it will replay *everything* in your
>>> indexing topic.
>>>
>>> elasticsearch.properties
>>> ...
>>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>>> kafka.start=UNCOMMITTED_EARLIEST
>>> ...
>>>
>>>
>>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>>> dentally-deleted-index-without-snapshot
>>>
>>> Best,
>>> Mike Miklavcic
>>>
>>>
>>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <
>>> mscs16059@itu.edu.pk> wrote:
>>>
>>>> Help guys .
>>>>
>>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <
>>>> mscs16059@itu.edu.pk> wrote:
>>>>
>>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> And Now the kibana dashboard is gone.
>>>>>
>>>>> [image: Inline image 2]
>>>>>
>>>>> Am I completely fu**d here or can I still do something to bring it
>>>>> back.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Casey Stella <ce...@gmail.com>]

In that case, then as Mike said, you can do that from Ambari via the
service actions -> deploy the kibana dashboard.

On Tue, Nov 14, 2017 at 2:32 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> I dont need to replay anything, I just need the kibana dashboard back so I
> can feed the snort logs from scratch.
>
> On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> If you just need the dashboard, go to the Kibana service in Ambari, click
>> on Service Actions and choose the option to deploy the Kibana Dashboard. If
>> you need to recover all of your index data, you might look at this [1].
>> Another option, if you're able in this environment, is to replay all the
>> data from Kafka. Restart your indexing topology with the option for
>> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
>> this if you have a lot of data as it will replay *everything* in your
>> indexing topic.
>>
>> elasticsearch.properties
>> ...
>> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
>> kafka.start=UNCOMMITTED_EARLIEST
>> ...
>>
>>
>> 1. https://stackoverflow.com/questions/36573257/recover-acci
>> dentally-deleted-index-without-snapshot
>>
>> Best,
>> Mike Miklavcic
>>
>>
>> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>> > wrote:
>>
>>> Help guys .
>>>
>>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <mscs16059@itu.edu.pk
>>> > wrote:
>>>
>>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> And Now the kibana dashboard is gone.
>>>>
>>>> [image: Inline image 2]
>>>>
>>>> Am I completely fu**d here or can I still do something to bring it back.
>>>>
>>>>
>>>>
>>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

I dont need to replay anything, I just need the kibana dashboard back so I
can feed the snort logs from scratch.

On Wed, Nov 15, 2017 at 12:13 AM, Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:

> If you just need the dashboard, go to the Kibana service in Ambari, click
> on Service Actions and choose the option to deploy the Kibana Dashboard. If
> you need to recover all of your index data, you might look at this [1].
> Another option, if you're able in this environment, is to replay all the
> data from Kafka. Restart your indexing topology with the option for
> kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
> this if you have a lot of data as it will replay *everything* in your
> indexing topic.
>
> elasticsearch.properties
> ...
> # One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
> kafka.start=UNCOMMITTED_EARLIEST
> ...
>
>
> 1. https://stackoverflow.com/questions/36573257/recover-
> accidentally-deleted-index-without-snapshot
>
> Best,
> Mike Miklavcic
>
>
> On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Help guys .
>>
>> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
>> wrote:
>>
>>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>>
>>> [image: Inline image 1]
>>>
>>> And Now the kibana dashboard is gone.
>>>
>>> [image: Inline image 2]
>>>
>>> Am I completely fu**d here or can I still do something to bring it back.
>>>
>>>
>>>
>>
>

Re: Kibana dashboard gone

[Michael Miklavcic <mi...@gmail.com>]

If you just need the dashboard, go to the Kibana service in Ambari, click
on Service Actions and choose the option to deploy the Kibana Dashboard. If
you need to recover all of your index data, you might look at this [1].
Another option, if you're able in this environment, is to replay all the
data from Kafka. Restart your indexing topology with the option for
kafka.start set to EARLIEST in elasticsearch.properties. Be careful with
this if you have a lot of data as it will replay *everything* in your
indexing topic.

elasticsearch.properties
...
# One of EARLIEST, LATEST, UNCOMMITTED_EARLIEST, UNCOMMITTED_LATEST
kafka.start=UNCOMMITTED_EARLIEST
...


1.
https://stackoverflow.com/questions/36573257/recover-accidentally-deleted-index-without-snapshot

Best,
Mike Miklavcic


On Tue, Nov 14, 2017 at 11:29 AM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Help guys .
>
> On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
> wrote:
>
>> Hi guys, I have accidentally deleted all the elasticsearch data,
>>
>> [image: Inline image 1]
>>
>> And Now the kibana dashboard is gone.
>>
>> [image: Inline image 2]
>>
>> Am I completely fu**d here or can I still do something to bring it back.
>>
>>
>>
>

Re: Kibana dashboard gone

[Syed Hammad Tahir <ms...@itu.edu.pk>]

Help guys .

On Tue, Nov 14, 2017 at 3:26 PM, Syed Hammad Tahir <ms...@itu.edu.pk>
wrote:

> Hi guys, I have accidentally deleted all the elasticsearch data,
>
> [image: Inline image 1]
>
> And Now the kibana dashboard is gone.
>
> [image: Inline image 2]
>
> Am I completely fu**d here or can I still do something to bring it back.
>
>
>