Wazuh-Dashboard field issue

[Gokul Suresh]

Hi team,

I am facing an issue with fields in Wazuh dashboard.
I am not able to use certain fields in wazuh dashboard and a warning of "No cached mapping for this field . Refresh field list from management > index patterns page".

As mentioned in this warning refreshing field list was done but could not solve the issue.

These fields where working properly but out a sudden things changed.

I have done a research regarding this, but could not find a proper solution to this issue.

Wazuh version 4.7 is the version being used.

Could someone help me out with this issue?
I am attaching the screenshot of the fields and the warning that is shown.

[Bony V John]

Hi Gokul,

The error message "No cached mapping for this field" typically occurs in the Wazuh indexer when you attempt to perform a query or aggregation operation on a field in the Wazuh dashboard, but the Wazuh indexer doesn’t have a mapping for that field.

The rule is firing, and the alert is being generated, but the field might not exist in any of the documents in your Wazuh index.

Steps to Refresh the Index:

1. Go to the Wazuh dashboard.
2. Click on the top-left menu icon and select Dashboards Management > Index Patterns.
3. Select the Wazuh-alerts-* pattern.
4. Click on the "Refresh field list" button at the top-right corner.

Once refreshed, you should be able to search for and use the term fields in Discover or create custom dashboards and filters.

Regards,

[Gokul Suresh]

Thank you Bony  V John for your reply,

We have tried these steps, but could not solve the issue.

After refreshing the fields appears in wazuh-alerts-*, but after sometime it is reverted back to the same state how it was before refreshing.

I would like to point out that there is no problem with defaults fields.

I have attached the change in number of fields before and after refreshing in Wazuh-alerts-*.
As I mentioned after sometime it is reverted back as same as how it was before refreshing.

Could not figure out why does this happen.

[Bony V John]

Hi Gokul,

It seems that you are trying to add more than 6000 fields. Could you please verify whether the index.mapping.total_fields.limit is greater than your field count by running the following command:

curl -XGET -k -u admin:<password> "https://<indexer-ip>:9200/wazuh-alerts-*/_settings" | grep "total_fields"

Replace <password> and <indexer-ip> with your indexer server credentials and IP address.

Additionally, ensure that your indexer server has sufficient resources and is not under heavy load during this process. To monitor resource usage before and after refreshing the index pattern, you can run the following commands on the indexer server:

1. CPU Usage:

top

2. Memory Usage:

free -h

3. Disk I/O:

iostat -x 1 10

After refreshing the index pattern, verify whether the changes are applied correctly. Please share the results with us for further assistance.

[Gokul Suresh]

Thank you Bony for your reply,

I checked the command that you gave.
In that the limit is 10000, the field limit does not seems to be an issue.
I am attaching the screenshot of   curl -XGET -k -u admin:<password> "https://<indexer-ip>:9200/wazuh-alerts-*/_settings" | grep "total_fields"

So I would like to get your help regarding any other possible cause to this issue and a way to solve it.

[Bony V John]

Hi Gokul,

Apologies for the late response. We are unable to reproduce this issue from our end for testing. Could you please report this issue on our GitHub by providing the following details:

• A description of the issue.
• The operating system of your server.
• The Wazuh version being used.
• The resources allocated to your Wazuh server.

This will help us assist you better and track the resolution more efficiently. You can report the issue at the following link:
https://github.com/wazuh/wazuh/issues?page=1

Thank you for your understanding.

Regards,