Missing Fields #675
-
|
I recently updated malcolm but I'm having some small problems with Arkime. As you can see from the screenshots it doesn't detect some fields and the views of suricata and
zeek are gone. How can I fix it? |
Beta Was this translation helpful? Give feedback.
Replies: 8 comments
-
|
Ummm... boy, I am not sure, I have not seen this before. Is it possible to |
Beta Was this translation helpful? Give feedback.
-
|
I performed the wipe but still gives the same result. Waiting for commands to remove arkime non-logs |
Beta Was this translation helpful? Give feedback.
-
|
Okay, so the wipe would have removed everything so somehow the initialization code that creates the Zeek/Macolm fields in Arkime isn't happening correctly. Let's try this:
So this is Malcolm v24.04.1, correct? Are you using its embedded OpenSearch instance or a remote OpenSearch or Elasticsearch instance? |
Beta Was this translation helpful? Give feedback.
-
|
yes I am using malcolm 24.04.1 with remote Elasticsearch Instance but I am not using Hedgehog . I will do all the steps tomorrow. in the meantime thanks |
Beta Was this translation helpful? Give feedback.
-
|
Ah the with remote elasticsearch instance the wipe won't quite have the same effect. we'll have to delete some indices manually. Hold off on doing anything for now, I'll try to help put together some commands you can do so we can reinitialize. |
Beta Was this translation helpful? Give feedback.
-
I await the commands for elasticsearch |
Beta Was this translation helpful? Give feedback.
-
|
Rather than doing it from the command line, probably the safest way to do this would be to:
Otherwise, use the elasticsearch DELETE api to delete the arkime* indices. |
Beta Was this translation helpful? Give feedback.
-
|
Resolve. Thanks for supporting |
Beta Was this translation helpful? Give feedback.
Rather than doing it from the command line, probably the safest way to do this would be to:
arkimeOtherwise, use the elasticsearch DELETE api to delete the arkime* indices.