Error in Kibana
1,059 views
Skip to first unread message
ektadhu...@gmail.com
Aug 24, 2021, 6:02:13 AM8/24/21
to Wazuh mailing list
Hi Team,
After upgrading wazuh to 4.1.5 and elasticsearch and kibana to 7.10.1 I am recieving this error for indices.
Text fields are not optimised for operations that require per-document
field data like aggregations and sorting, so these operations are
disabled by default. Please use a keyword field instead. Alternatively,
set fielddata=true on [rule.description] in order to load field data by
uninverting the inverted index. Note that this can use significant
memory.
How I can fix this?
Regards,
Ekta
mayte...@wazuh.com
Aug 24, 2021, 7:00:14 AM8/24/21
to Wazuh mailing list
Hi Ekta,
It seems there is some issue with the mapping. If the Wazuh template is applied properly, the rule.description field should be keyword instead of text (Wazuh template)
You can check which indices did not apply the Wazuh template by running the following query in your Elasticsearch server: curl -k -u <user>:<pass> https://localhost:9200/wazuh-alerts*/_mapping/field/rule.description?pretty
All those indexes that do not have the rule.description as keyword have not applied the Wazuh template
Could you perform the following query in your Elasticsearch server to get your current templates?: curl -k -u <user>:<pass> https://localhost:9200/_cat/templates
Check if the Wazuh template is properly loaded and matches the desired indices (we use the Wazuh template to define the mapping for wazuh-alerts-4.x-* and wazuh-archives-4.x-* indices)
If not maybe some steps where missing when performing the migration: Upgrading Filebeat - Wazuh template
Once the Wazuh template is properly loaded, you should reindex the indices created without using the Wazuh template (in order to apply the proper template) or delete them to fix the issue (this second option will result in data loss for those indexes without the possibility of restoring it unless you have a backup copy)
I hope it helps. Keep us updated!
Best regards,
Mayte Ariza
ektadhu...@gmail.com
Aug 24, 2021, 7:47:41 AM8/24/21
to Wazuh mailing list
Hi Mayte,
I ran this command
curl -k -u <user>:<pass> https://localhost:9200/wazuh-alerts*/_mapping/field/rule.description?pretty and there was no such indix that do not have rule.description field as keyword.
Please tell what should I check next.
Regards,
Ekta
mayte...@wazuh.com
Aug 24, 2021, 8:24:46 AM8/24/21
to Wazuh mailing list
Hi Ekta,
Did you modify <user>:<pass> to add your Elasticsearch credentials?
The log you shared with us implies that the rule.description field should be type text for at least one index:
Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.description] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
Could you share the query output with us?
Best regards,
Mayte Ariza
ektadhu...@gmail.com
Aug 24, 2021, 8:43:23 AM8/24/21
to Wazuh mailing list
Hi Mayte,
I ran this command: curl -X GET 172.24.100.111:9200/wazuh-alerts*/_mapping/field/rule.description?pretty
Output:
{
"wazuh-alerts-4.x-2021.08.10" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.19" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.29" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.28" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.16" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.27" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.15" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.26" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.03" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.18" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.25" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.02" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.17" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.12" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.01" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.11" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.14" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.30" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.13" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.07.30" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.21" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.07.31" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.07.30" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.20" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2020.11.01" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.29" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.09" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.08" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.27" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.28" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.25" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.05" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.04" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-3.x-2021.06.26" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.07" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.06" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.23" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.01" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.22" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.03" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.02" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
},
"wazuh-alerts-4.x-2021.08.24" : {
"mappings" : {
"rule.description" : {
"full_name" : "rule.description",
"mapping" : {
"description" : {
"type" : "keyword"
}
}
}
}
}
}
Regards,
Ekta
mayte...@wazuh.com
Aug 24, 2021, 9:34:44 AM8/24/21
to Wazuh mailing list
Hi Ekta,
Indeed there is no rule.description field with type text which is very odd due to the log that appeared in Kibana.
Could you send us a screenshot of Kibana showing where this log appears? The more detailed the better (which index pattern is used for filtering in Kibana, time range and so on)
Also, if you can send us the complete error log, showing how many shards or indices fails, it would be very helpful.
Best regards,
Mayte Ariza
mayte...@wazuh.com
Aug 25, 2021, 3:09:33 AM8/25/21
to Wazuh mailing list
Hi Ekta,
It seems that at least, the wazuh-alerts-4.x-2021.08.25 index did not apply the Wazuh template.
In the screenshot appears a different field, agent.ip. We can try again using this one.
The same query I told you before may be used to show us the indices that did not apply the Wazuh template, this time using the agent.ip field instead:
curl -k -u <user>:<pass> https://localhost:9200/wazuh-alerts*/_mapping/field/agent.ip?pretty
In any case, whether or not they appear as text type, keep checking the templates as I told you before, since the Wazuh template does not seem to be configured properly.
Keep us updated!
Best regards,
Mayte Ariza
Reply all
Reply to author
Forward
0 new messages