Running Filebeat setup loads the assets that make shipped events immediately searchable and dashboard-ready in Kibana, avoiding field mapping surprises and empty visualizations. Skipping setup commonly leaves dashboards without matching data views and causes fields to appear as unparsed text.
The filebeat setup command connects to the configured Elasticsearch cluster to install index management assets such as index templates, ILM policies, and ingest pipelines used by enabled modules. When setup.kibana is configured, it also calls the Kibana API to import saved objects including dashboards, visualizations, and data views.
Setup requires network reachability plus credentials permitted to manage templates and pipelines in Elasticsearch and import saved objects in Kibana. Re-running setup can overwrite existing assets with the same IDs, and the setup operation typically only needs to run once per environment after upgrades or configuration changes that affect assets.
Steps to run Filebeat setup for templates and dashboards:
- Confirm the Elasticsearch output is configured in /etc/filebeat/filebeat.yml.
output.elasticsearch: hosts: ["https://node-01-secure:9200"] username: "elastic" password: "password" ssl.certificate_authorities: ["/etc/filebeat/certs/elastic-ca.crt"]
- Confirm the Kibana endpoint is configured for dashboard loading.
setup.kibana: host: "http://kibana.example.net:5601" space.id: "default"
- Validate the Filebeat configuration syntax before loading assets.
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml Config OK
- Validate connectivity to Elasticsearch using the configured output.
$ sudo filebeat test output -c /etc/filebeat/filebeat.yml elasticsearch: https://node-01-secure:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.18.0.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 8.12.2A successful test shows talk to server… OK and the detected server version.
- Run filebeat setup to load index templates, ingest pipelines, and dashboards.
$ sudo filebeat setup --index-management --pipelines --dashboards -c /etc/filebeat/filebeat.yml Overwriting lifecycle policy is disabled. Set `setup.ilm.overwrite: true` to overwrite. Index setup finished. Loading dashboards (Kibana must be running and reachable) Loaded dashboards Loaded Ingest pipelines
Existing templates, ingest pipelines, and dashboards with the same IDs may be replaced.
Use -E to supply a privileged setup user for a one-time run without permanently changing /etc/filebeat/filebeat.yml.
- Verify the Filebeat index template exists in Elasticsearch.
$ curl -s --user "elastic:password" --cacert /etc/filebeat/certs/elastic-ca.crt "https://node-01-secure:9200/_index_template/filebeat-*?filter_path=index_templates.name,index_templates.index_template.index_patterns" {"index_templates":[{"name":"filebeat-8.19.9","index_template":{"index_patterns":["filebeat-8.19.9"]}}]} - Confirm Filebeat dashboards appear in Kibana under Analytics → Dashboard.
Switch to the Kibana space configured by setup.kibana.space.id when dashboards are loaded to a non-default space.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
