Not able to see alerts in dashboard

[Dhiren Chavda]

Hello team,

we have deleted old indexes or shards which prevents from making new indexes automatically, after deleting them todays new index created successfully and in the overview we can see count and in archvies it is visible but in particular module we cannot see any alerts and the index health is green as well and we also tried restarting all the services after making the changes.

i have attached the screenshots of the same for your reference.

Please look into this.

Regards,

Dhiren Chavda

[Stuti Gupta]

Please allow me sometime I'm looking into this 

[Stuti Gupta]

Hi  Dhiren 

Since the new index was created successfully and the alert count is visible in the overview and archives, indexing is working correctly. The next step is to confirm where the issue appears in the dashboard.

Please check if alerts are visible in other modules such as Threat Hunting, FIM, or PCI.
If alerts appear there, but not in the Discover you mentioned, then the problem is with the dashboard index pattern not loading the fields from the new index. In that case, refreshing the wazuh-alerts-* index pattern in Stack Management will fix the issue.
Open Dashboards
Go to Dashboard Management
Index Patterns
Select wazuh-alerts-*
Click Refresh

 We need to look at logs from the indexer side to see why Discover is unable to read the documents even though they exist. In that case, please share only the indexer logs.  e only need to check the indexer logs and the search output.

Please run the following commands on the indexer node:

To check if alerts exist in today’s index:

curl -k -u admin:admin https://<indexer-ip>:9200/wazuh-alerts-4.x-*/_search?size=1

To check indexer logs for any search errors:

sudo grep -Ei "error|warn" /var/log/wazuh-indexer/wazuh-cluster.log