[Auditbeat] Host Overview dashboard

[cwurm]

Adds a Host Overview dashboard for data from the host dataset:

[elasticmachine]

Pinging @elastic/secops

[webmat]

Love the looks of the dashboard.

Perhaps more useful than avg uptime would be Bottom N uptimes (most recent reboots)?

I've discovered a big worry about canonical fields for strings not being keyword indexed, but this is out of the scope of this new dashboard. Let's look into that next week.

[webmat]

Hmmm, the canonical fields are not keyword datatype? Is this a fact across Auditbeat?

In ECS, we're flipping the ES convention around. Virtually all textual fields are keyword, and if full text search is needed, a multi-field named .text should be added. To take this field for example, I would have expected system.audit.host.id == keyword and system.audit.host.id.text == text.

I thought the ECS convention (at least the canonical fields being keyword) was already in place across all beats, but it seems like it's not the case here.

@cwurm Do you know how widely multi-field is used for the keyword indexing, in Auditbeat?

cc @ruflin

[cwurm]

My mistake. For some reason, I did not have the proper template loaded. I've loaded it now and updated the field references. Thanks for catching it.

[cwurm]

Perhaps more useful than avg uptime would be Bottom N uptimes (most recent reboots)?

The Host List table can already be sorted by uptime, I think I like that better than introducing another table that duplicates the information already present. I've added a commit that sets uptime (asc) as the default sort.

[webmat]

Happy we caught that template problem :-)

LGTM

[andrewkroh]

Based on the screenshot I think the dashboard name needs to be swapped around. I think the convention dictates that it should be [Auditbeat System] Host Overview. But otherwise LGTM.

[cwurm]

I've opened #10511 for a System Overview dashboard containing data from all datasets. So closing this for now, unless we decide to go with individual dashboards after all.