Wazuh- elastic intergration unable to pick most active agent

[masara]

Hi everyone,
I recently installed wazuh and elastic-search with the one of deployment. I have enable multi-tenancy by creating different spaces and indexes to separate logs . However elastic search is unable pick up the most active agent and display it rather bringing up this large error below. Please advice me where to check configuration and make necessary changes and figure out this error.

this is the error am getting
An error occurred while trying to get the most active agent: 4004 - search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory. 4004 - search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [agent.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require

[Maximiliano Ibarra]

Hi Masara.

Regarding the error you mentioned, it is related to the missing Wazuh template since it seems there is some issue with the mapping. If the Wazuh template is applied properly, the [agent.name] field should be keyword instead of text.
I would recommend you to re-map your index. This means you should create a new index using the data from the corrupted index and apply the template. Once you are done, you can replace the corrupted index with the well-mapped index. Basically, re-index the affected index with agent.name mapped as keyword.

Reference: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html#re-indexing

To check the content of your template, go to Indexer Management > Dev Tools and use the command:

curl localhost:9200/_template/wazuh

And, to check which template is being applied for a specific index:

Example:

curl localhost:9200/wazuh-alerts-4.x-2024.07.02/_mapping?pretty

I hope this can help you