High Index pattern mappings
32 views
Skip to first unread message
Gokul Suresh
Sep 19, 2025, 3:40:32 AM (6 days ago) Sep 19
to Wazuh | Mailing List
Hi team,
I want to understand how index patterns behave in Wazuh when dealing with unwanted mappings.
Specifically, when a device is being monitored, several fields are created and mapped related to that device. If the device is no longer monitored, will those fields be automatically removed, or will they remain in the index pattern? I would like to know how this process works in Wazuh.
I want to understand how index patterns behave in Wazuh when dealing with unwanted mappings.
Specifically, when a device is being monitored, several fields are created and mapped related to that device. If the device is no longer monitored, will those fields be automatically removed, or will they remain in the index pattern? I would like to know how this process works in Wazuh.
Hernan Matias Villan
Sep 19, 2025, 4:38:27 PM (5 days ago) Sep 19
to Wazuh | Mailing List
Hello, Gokul
The field mappings in your wazuh-alerts-* index pattern are derived from the mappings of the underlying indices. These can be explicitly set in the Wazuh template (viewable by running GET _template/wazuh in Indexer Management > Dev Tools within the Wazuh interface) or dynamically assigned when a previously unknown field is encountered. In the latter case, the Indexer infers the data type based on the field’s content. This dynamic assignment can result in conflicts if the same field is assigned different data types across multiple indices.
The index pattern dynamically adjusts its field mappings by adding or removing fields based on the mappings of all indices that match the pattern. This has some implications:
Even if you delete all documents containing a specific field or remove the field from those documents, the index mappings are static and will persist in both the index and the index pattern.
To remove a field from an index’s mapping, you must reindex the affected index to eliminate the field’s mapping (after the field or documents have been deleted).
If a field is defined in the Wazuh template, it will always appear in the mappings for every affected index, regardless of whether it’s present in the data.
A field mapping will only disappear from the index pattern when no matching indices contain documents with that field (and it's also not in the template).
I hope this was helpful.
The field mappings in your wazuh-alerts-* index pattern are derived from the mappings of the underlying indices. These can be explicitly set in the Wazuh template (viewable by running GET _template/wazuh in Indexer Management > Dev Tools within the Wazuh interface) or dynamically assigned when a previously unknown field is encountered. In the latter case, the Indexer infers the data type based on the field’s content. This dynamic assignment can result in conflicts if the same field is assigned different data types across multiple indices.
The index pattern dynamically adjusts its field mappings by adding or removing fields based on the mappings of all indices that match the pattern. This has some implications:
Even if you delete all documents containing a specific field or remove the field from those documents, the index mappings are static and will persist in both the index and the index pattern.
To remove a field from an index’s mapping, you must reindex the affected index to eliminate the field’s mapping (after the field or documents have been deleted).
If a field is defined in the Wazuh template, it will always appear in the mappings for every affected index, regardless of whether it’s present in the data.
A field mapping will only disappear from the index pattern when no matching indices contain documents with that field (and it's also not in the template).
I hope this was helpful.
Reply all
Reply to author
Forward
0 new messages