error indexer
17 views
Skip to first unread message
Tengku Arya Saputra
Feb 10, 2026, 12:48:02 AM (2 days ago) Feb 10
to Wazuh | Mailing List
Hi team,
I'm having an issue with my dashboard. All of my dashboard overviews in Wazuh are experiencing an indexser issue because they have changed to .keyword, src_ip.keyword.
This is impacting other dashboards.
I'm having an issue with my dashboard. All of my dashboard overviews in Wazuh are experiencing an indexser issue because they have changed to .keyword, src_ip.keyword.
This is impacting other dashboards.
I will provide one example of the error in the attached file.
Regards
hasitha.u...@wazuh.com
Feb 10, 2026, 1:10:17 AM (2 days ago) Feb 10
to Wazuh | Mailing List
Hi Tengku
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
hasitha.u...@wazuh.com
Feb 10, 2026, 1:41:21 AM (2 days ago) Feb 10
to Wazuh | Mailing List
Hi Tengku
Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against Wazuh Indexer. It should resemble what you have in the wazuh-template.json file.
GET /_template/wazuh
Does it includes sections like these?
If you don't see sections like this with "10000" and "keyword" in them then it appears either your wazuh-template.json file is not being pushed to the indexer or you have some other template that is overriding the wazuh template.
Also, what is the output of this Wazuh indexer API call?
GET /_cat/templates?v
Additionally, Please run the following command at Indexer Management > Dev Tools :
GET /wazuh-alerts-<affectedindicedate>/_mapping/field/manager.name
The output should be:
If that shows "type": "text", then the template fix hasn’t affected this index yet; you’ll need to reindex.
Run the following API command in the Dev tool console to get the names of all available indices:
GET _cat/indices
Take a backup of the index for that run the following command, replacing wazuh-alerts-4.x-2023.04.24 with index name that you want to reindex:
Delete the original index:
DELETE /wazuh-alerts-4.x-2025.10.31
Reindex from backup:
Delete the backup index:
DELETE /wazuh-alerts-4.x-backup
Repeat these steps for any other indices that are showing field conflict issues.
You can also refer to the Wazuh reindexing
Let me know the update on this to check further.
Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against Wazuh Indexer. It should resemble what you have in the wazuh-template.json file.
GET /_template/wazuh
Does it includes sections like these?
- "settings": {
- "index": {
- "mapping": {
- "total_fields": {
- "limit": "10000"
- }
- },
- "manager": {
- "properties": {
- "name": {
- "type": "keyword"
- }
- }
- },
If you don't see sections like this with "10000" and "keyword" in them then it appears either your wazuh-template.json file is not being pushed to the indexer or you have some other template that is overriding the wazuh template.
Also, what is the output of this Wazuh indexer API call?
GET /_cat/templates?v
Additionally, Please run the following command at Indexer Management > Dev Tools :
GET /wazuh-alerts-<affectedindicedate>/_mapping/field/manager.name
The output should be:
- {
- "wazuh-alerts-4.x-2025.10.31": {
- "mappings": {
- "mapping": {
- "name": {
- "type": "keyword"
- }
- }
- }
- }
- }
- }
If that shows "type": "text", then the template fix hasn’t affected this index yet; you’ll need to reindex.
Run the following API command in the Dev tool console to get the names of all available indices:
GET _cat/indices
Take a backup of the index for that run the following command, replacing wazuh-alerts-4.x-2023.04.24 with index name that you want to reindex:
- POST _reindex
- {
- "source": {
- "index": "wazuh-alerts-4.x-2025.10.31"
- },
- "dest": {
- "index": "wazuh-alerts-4.x-backup"
- }
- }
Delete the original index:
DELETE /wazuh-alerts-4.x-2025.10.31
Reindex from backup:
- POST _reindex
- {
- "source": {
- "index": "wazuh-alerts-4.x-backup"
- },
- "dest": {
- "index": "wazuh-alerts-4.x-2025.10.31"
- }
- }
Delete the backup index:
DELETE /wazuh-alerts-4.x-backup
Repeat these steps for any other indices that are showing field conflict issues.
You can also refer to the Wazuh reindexing
Let me know the update on this to check further.
Reply all
Reply to author
Forward
0 new messages