Dublicate alerts and archives

19 views
Skip to first unread message

Farid Alakbarli

unread,
Jun 29, 2026, 7:17:13 AM (4 days ago) Jun 29
to Wazuh | Mailing List

Hi everyone,

I’m experiencing an issue in my Wazuh environment where duplicate index patterns seem to be created automatically (see screenshot attached). I didn’t create them manually, and over time multiple entries with the same patterns (such as wazuh-alerts-* and wazuh-archives-*) appeared on their own.

Has anyone experienced something similar before? I’d like to understand what could cause this behavior (replication, templates, dashboard issue, automation, etc.) and what would be the best way to troubleshoot and resolve it.

Any suggestions would be appreciated.

Thank you. 

Screenshot 2026-06-29 112727.png

Javier Medeot

unread,
Jun 29, 2026, 9:22:43 AM (4 days ago) Jun 29
to Wazuh | Mailing List
Hi.

Multiple causes could cause this index patterns multiplication. Maybe they were created when restoring dashboard snapshots or importing saved objects, maybe this is from an upgrade of central components failing to recognize the existing index patterns (which would generate the new ones), or maybe automation tools running multiple times the initialization steps.

To list all the index patterns and delete the copies, you can go to  > Dashboard management > Dashboards management > Saved objects and filter for index patterns or  > Dashboard management > Dashboards management > Index patterns.

Javier Medeot

unread,
Jun 29, 2026, 3:09:44 PM (3 days ago) Jun 29
to Wazuh | Mailing List
And before any deletion, make sure:
  • You export the saved objects as a backup
  • The duplicates refer to the exact same index pattern
  • The duplicates contain the exact same fields (no customization making them actually different)
After ensuring this, you are safe to delete the duplicates.

Thank you.
Reply all
Reply to author
Forward
0 new messages