Wazuh Alerts Index Mapping Conflict
21 views
Skip to first unread message
Shady Mohamed
Jun 8, 2026, 7:13:08 AM (5 days ago) Jun 8
to Wazuh | Mailing List
Hi Team,
We are facing mapping conflicts in the wazuh-alerts-* index pattern.
The following fields are affected:
- data.srcip
- data.dstip
- data.srcport
- data.dstport
- data.win.eventdata.ipAddress
We found that recent indices (2026.05.x and 2026.06.x) have these fields mapped as ip (and numeric types for ports), while some older/reindexed indices have them mapped as keyword, causing OpenSearch Dashboards to report field type conflicts.
Could you please confirm:
- What is the correct/expected mapping for these fields?
- What is the recommended way to resolve the conflict across existing indices?
- Should the affected indices be reindexed using the current Wazuh index template, or is there another recommended approach?
Screenshots attached.
Thanks.
Stuti Gupta
Jun 8, 2026, 8:26:25 AM (5 days ago) Jun 8
to Wazuh | Mailing List
Hi
Shady Mohamed,
The issue shown is a field mapping conflict for data.srcip, data.dstport, data.dstip, and data.srcport in the index pattern.
In some, it is IP, and in others, it is a keyword
Because of this difference, it is marked as a conflict.
First, check the current mapping:
curl -k -u admin: password https://<ipaddress>:9200/wazuh-alerts-*/_mapping?pretty | grep dstip -A 5
You will see that some indices define it as a keyword and others as an ip.
To fix the conflict permanently, you must choose one correct type and reindex the data.
If this field should be an object, then update the index template before creating new indices.
Change the Data Type in the Dashboard:
Navigate to Dashboard Management >>Dashboard Management >> Index Pattern >> Click on the index pattern wazuh-alerts >> Locate the field that you need to change the data type and click Edit >> Change the data type to "keyword/ip" by default it is keyword/string
Or edit the Wazuh Template JSON File, at the wazuh-manager server, edit the template file located at /etc/filebeat/wazuh-template.json. Find the field's definition in the template. Update its data type to match the changes the error is asking for in the Wazuh UI
"properties": {
"dstport": {
"type": "object/keyword"
}
}
,Run the following command to apply the changes: filebeat setup --index-management
After updating the template, new indices will use the correct mapping.
Existing indices cannot be changed directly. You must reindex them.
Create a new index:
Take a backup of the index for that run the following command, replacing, for example, wazuh-alerts-4.x-2025.12.07 with the index name that you want to reindex:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2025.12.07"
},
"dest": {
"index": "wazuh-alerts-4.x-backup"
}
}
Delete the original index:
DELETE /wazuh-alerts-4.x-2025.12.07
Reindex from backup:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-backup"
},
"dest": {
"index": "wazuh-alerts-4.x-2025.12.07
}
}
Delete the backup index:
DELETE /wazuh-alerts-4.x-backup
The issue shown is a field mapping conflict for data.srcip, data.dstport, data.dstip, and data.srcport in the index pattern.
In some, it is IP, and in others, it is a keyword
Because of this difference, it is marked as a conflict.
First, check the current mapping:
curl -k -u admin: password https://<ipaddress>:9200/wazuh-alerts-*/_mapping?pretty | grep dstip -A 5
You will see that some indices define it as a keyword and others as an ip.
To fix the conflict permanently, you must choose one correct type and reindex the data.
If this field should be an object, then update the index template before creating new indices.
Change the Data Type in the Dashboard:
Navigate to Dashboard Management >>Dashboard Management >> Index Pattern >> Click on the index pattern wazuh-alerts >> Locate the field that you need to change the data type and click Edit >> Change the data type to "keyword/ip" by default it is keyword/string
Or edit the Wazuh Template JSON File, at the wazuh-manager server, edit the template file located at /etc/filebeat/wazuh-template.json. Find the field's definition in the template. Update its data type to match the changes the error is asking for in the Wazuh UI
"properties": {
"dstport": {
"type": "object/keyword"
}
}
,Run the following command to apply the changes: filebeat setup --index-management
After updating the template, new indices will use the correct mapping.
Existing indices cannot be changed directly. You must reindex them.
Create a new index:
Take a backup of the index for that run the following command, replacing, for example, wazuh-alerts-4.x-2025.12.07 with the index name that you want to reindex:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2025.12.07"
},
"dest": {
"index": "wazuh-alerts-4.x-backup"
}
}
Delete the original index:
DELETE /wazuh-alerts-4.x-2025.12.07
Reindex from backup:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-backup"
},
"dest": {
"index": "wazuh-alerts-4.x-2025.12.07
}
}
Delete the backup index:
DELETE /wazuh-alerts-4.x-backup
Repeat these steps for any other indices that are showing field conflict issues.
You can also refer to the Wazuh reindexing documentation https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html for more details.
You can also refer to the Wazuh reindexing documentation https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html for more details.
Reply all
Reply to author
Forward
0 new messages