I now have evebox importer and server running and loading data to/from ES. One thing that confused me greatly was that the evebox viewer took hours to load the data from ES.
I could see the data in ES but the viewer said it had no data for the last x hours (where x was the time the eve.json file rolled over), gradually x decreased and now the most current data I can see is current.
If you drop the time thing down to “all” you should start seeing alerts almost immediately. The “Events” tab is quicker to pick stuff up:
It shows all events, not just alerts.
It doesn’t do any aggregations, so data can show up there before fully analyzed.
But data should how up pretty soon. One issue I see often is people loading in older event files, and as that drop down defaults to the last 24 hours no alerts show, but change it to all and they are there.