Index Mapping Issue

[Gokul Suresh]

Hi Team,

I need assistance with index patterns in Wazuh. Unwanted fields still showing up in index pattern even after removing related indices.

Scenario:
I had Office 365 logs indexed in Wazuh 3 months back, and my index pattern showed 1300+ fields. Later I deleted all indices containing Office 365 logs, and then refreshed the index pattern. After that, the field count dropped to 1016, but I still see fields related to Office 365 in the index pattern.

Questions / issue:

1. Why are the Office 365 – related fields not removed from the index pattern even after deleting the indices and refreshing?

2. Is there a method to permanently remove those fields (that are no longer needed) from the index pattern as office 365 integration is removed from scope?

[Manuel Jose Cano Rojo]

Hi Gokul,

This behavior is expected and occurs mainly for two reasons:

1. Office 365 fields are included in Wazuh’s official index template.
   Even if you no longer ingest Office 365 data, those fields remain part of the default mappings distributed with Wazuh.

2. The Wazuh Dashboard automatically refreshes the index pattern during its health check.
   This process re-adds any fields that exist in the official template, which is why the Office 365–related fields keep appearing even after deleting the old indices. You can find more details about this behavior here: Wazuh Dashboard settings – Checks pattern.

While it’s technically possible to modify the index template and mappings to remove those fields, we don’t recommend doing so, as it may lead to unexpected issues and would need to be repeated after every Wazuh update (since the official templates are replaced).

These extra fields don’t consume additional storage or affect performance, so it’s safe to leave them as they are.

Best regards,

Manuel.