No cached mapping warning on data.office365.SystemOverrides

[Rahul Manoj]

Hi all,

I'm seeing a "No cached mapping for this field" warning in Discover on data.office365.SystemOverrides (screenshots attached, x2 — same warning shown consistently).

Environment: Wazuh 4.14.5, OpenSearch Dashboards, Office365 module, AWS module

What I've checked:

• Refreshing the index pattern field list doesn't clear it.
• Checked archives.log directly — the field is empty for the events I inspected, not just empty in the UI.

• No other office365 fields are affected, just this one.
  
  Can someone confirm this is expected, or let me know if there's a template fix I should be applying?  
  
  Thank you

[Md. Nazmur Sakib]

Hi Rahul,

Go to Dashboard management > Dashboards Management > Index patterns

And select wazuh-alerts-* template.

And click on the refresh icon. Similar to the screenshot. 

If you have multiple wazuh-alerts index templates, please refresh the other one as well.



Now, reload the Wazuh dashboard webpage, go to your alerts on Discover and check if these fields are searchable or not.

Looking forward to your update.

[Rahul Manoj]

Hi,

i had already tried refreshing the index pattern but the issue still persists in GUI.
i had checked refreshing again and verified.

Thank you

[Md. Nazmur Sakib]

Restart the indexer service.

systemctl daemon-reload
systemctl restart wazuh-indexer

In the Wazuh dashboard, click on the hamburger icon at the top left > Index Management > Dev Tools. Please run and share the outputs of the following commands:
 GET wazuh-alerts-*/_mapping/field/<affectedfield>

Where <affectedfield> is the field that is not populated with data.

From the Index Management > Dev Tools. Please run and check the outputs of the following commands:

GET wazuh-alerts-*/_settings

It will show you the field's limit.
      "mapping": {

          "total_fields": {

            "limit": "10000"

          }

Next, go to Dashboard management > Dashboards Management > Index patterns

And select wazuh-alerts-* template.

Check how many fields you have currently on that index pattern.



If you have hit the index limit. You can use this to increase the index field limit.

Index Management > Dev Tools.

PUT wazuh-alerts-*/_settings

{

  "index.mapping.total_fields.limit": 20000

}

Also for the future indices.
Go to vi /etc/filebeat/wazuh-template.json

Change the total_fields.limit
"index.mapping.total_fields.limit": 20000,

And load the configuration

filebeat setup --pipelines

filebeat setup --index-management -E output.logstash.enabled=false

Restart Filebeat:

systemctl restart filebeat


Now reindex today's index.

Create a backup of the data with this command.

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-2026.06.25"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-backup"

  }

}

Delete your data index

DELETE /wazuh-alerts-4.x-2026.06.25

Recreate the data index from the backup

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-backup"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-2026.06.25"

  }

}

Delete the backup index

DELETE /wazuh-alerts-4.x-backup

Now, go to the indexer pattern, click on the refresh button as I instructed before.

After that, go to the Discover or Threat Hunting page and filter today and check if you are able to see the fields in searchable format in today's index.

Let me know the update on this.

[Rahul Manoj]

Hi i have not hit the index limit.
the limit is shown as:

        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },

the number of indices shown in dashboard management > index pattern is 2469.

[Rahul Manoj]

Hi,
can you confirm if fields with data will only get refreshed or without data will also get refreshed?