illegal_argument_exception at
33 views
Skip to first unread message
Ricardo Barros
Nov 27, 2025, 5:21:38 AM (7 days ago) Nov 27
to Wazuh | Mailing List
I need some help. When accessing some Wazuh pages, I'm getting similar errors. Is there a solution?
illegal_argument_exception at shard 0index wazuh-alerts-2025.11.17node TNlJUEVVTOy9wqfmin0XIwTypeillegal_argument_exceptionReasonText fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.description] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
Sandip Aryal
Nov 27, 2025, 9:32:43 PM (6 days ago) Nov 27
to Wazuh | Mailing List
Hi,
The cause of the error is that the Wazuh dashboard is doing some operations, like aggregations or sorting, on string fields not mapped as keyword.
The thing is that the keyword is already the default mapping in the standard Wazuh template for rule.description. Normally, Filebeat pushes /etc/filebeat/wazuh-template.json up to the Wazuh indexer cluster.
"rule": {
"properties": {
"description": {
"type": "keyword"
}
}
},
Reference:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat
Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against the Wazuh Indexer. It should resemble what you have in the wazuh-template.json file.
GET /_template/wazuh.
If you don't see sections like above with description type: "keyword", either your wazuh-template.json file is not being pushed to the indexer, or you have some other template that is overriding the wazuh template.
Also, please run the following command at Indexer Management > Dev Tools :
GET /_cat/templates?v
GET /wazuh-alerts-<affectedindicedate>/_mapping/field/rule.description, you might get rule.description with some other field type.
To fix this,
You can create a template, and you can increase its order to override, or correct the existing template by hanging the field type
POST _template/wazuh_custom_name
{
"order": 5,
"version": 1,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
}, ................. Truncated Template
This will create a template that will take effect with the new index. These cannot be applied to the older one. For this, you can reindex the indices that you are facing issues with.
You can reindex using the following on Indexer Management and Dev Tools
POST /_reindex
{
"source":{
"index":"my-source-index"
},
"dest":{
"index":"my-destination-index"
}
}
Reference: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html
The cause of the error is that the Wazuh dashboard is doing some operations, like aggregations or sorting, on string fields not mapped as keyword.
The thing is that the keyword is already the default mapping in the standard Wazuh template for rule.description. Normally, Filebeat pushes /etc/filebeat/wazuh-template.json up to the Wazuh indexer cluster.
"rule": {
"properties": {
"description": {
"type": "keyword"
}
}
},
Reference:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat
Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against the Wazuh Indexer. It should resemble what you have in the wazuh-template.json file.
GET /_template/wazuh.
If you don't see sections like above with description type: "keyword", either your wazuh-template.json file is not being pushed to the indexer, or you have some other template that is overriding the wazuh template.
Also, please run the following command at Indexer Management > Dev Tools :
GET /_cat/templates?v
GET /wazuh-alerts-<affectedindicedate>/_mapping/field/rule.description, you might get rule.description with some other field type.
To fix this,
You can create a template, and you can increase its order to override, or correct the existing template by hanging the field type
POST _template/wazuh_custom_name
{
"order": 5,
"version": 1,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
}, ................. Truncated Template
This will create a template that will take effect with the new index. These cannot be applied to the older one. For this, you can reindex the indices that you are facing issues with.
You can reindex using the following on Indexer Management and Dev Tools
POST /_reindex
{
"source":{
"index":"my-source-index"
},
"dest":{
"index":"my-destination-index"
}
}
Reference: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html
Ricardo Barros
Dec 2, 2025, 3:22:11 PM (yesterday) Dec 2
to Wazuh | Mailing List
Reply all
Reply to author
Forward
0 new messages