illegal_argument_exception office 365
13 views
Skip to first unread message
Serhii Zahuba
Dec 29, 2025, 5:50:34 AM (2 days ago) Dec 29
to Wazuh | Mailing List
Hello. A few days ago I saw an error for Office 365 panels. Below is a detailed description - is this a bug or do I need to fix something? I did not change the configuration.
Typeillegal_argument_exceptionReasonText fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [data.office365.ClientIP] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
Request
{ "sort": [], "size": 100, "from": 0, "aggs": { "buckets": { "terms": { "field": "data.office365.ClientIP", "size": 5, "order": { "_count": "desc" } } } }, "stored_fields": [ "*" ], "script_fields": {}, "docvalue_fields": [ { "field": "data.aws.createdAt", "format": "date_time" }, { "field": "data.aws.end", "format": "date_time" }, { "field": "data.aws.resource.instanceDetails.launchTime", "format": "date_time" }, { "field": "data.aws.service.eventFirstSeen", "format": "date_time" }, { "field": "data.aws.service.eventLastSeen", "format": "date_time" }, { "field": "data.aws.start", "format": "date_time" }, { "field": "data.aws.updatedAt", "format": "date_time" }, { "field": "data.ms-graph.activityDateTime", "format": "date_time" }, { "field": "data.ms-graph.complianceGracePeriodExpirationDateTime", "format": "date_time" }, { "field": "data.ms-graph.createdDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceActionResults.lastUpdatedDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceActionResults.startDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceHealthAttestationState.issuedDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceHealthAttestationState.lastUpdateDateTime", "format": "date_time" }, { "field": "data.ms-graph.easActivationDateTime", "format": "date_time" }, { "field": "data.ms-graph.enrolledDateTime", "format": "date_time" }, { "field": "data.ms-graph.exchangeLastSuccessfulSyncDateTime", "format": "date_time" }, { "field": "data.ms-graph.firstActivityDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastActivityDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastSyncDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastUpdateDateTime", "format": "date_time" }, { "field": "data.ms-graph.managementCertificateExpirationDate", "format": "date_time" }, { "field": "data.ms-graph.resolvedDateTime", "format": "date_time" }, { "field": "data.timestamp", "format": "date_time" }, { "field": "data.vulnerability.published", "format": "date_time" }, { "field": "data.vulnerability.updated", "format": "date_time" }, { "field": "syscheck.mtime_after", "format": "date_time" }, { "field": "syscheck.mtime_before", "format": "date_time" }, { "field": "timestamp", "format": "date_time" } ], "_source": { "excludes": [ "@timestamp" ] }, "query": { "bool": { "must": [], "filter": [ { "match_all": {} }, { "match_phrase": { "cluster.name": { "query": "wazuh" } } }, { "match_phrase": { "rule.groups": { "query": "office365" } } }, { "range": { "timestamp": { "gte": "2025-12-29T09:42:00.954Z", "lte": "2025-12-29T10:42:00.954Z", "format": "strict_date_optional_time" } } } ], "should": [], "must_not": [] } } }
Response
{ "took": 200, "timed_out": false, "_shards": { "total": 110, "successful": 109, "skipped": 0, "failed": 1, "failures": [ { "shard": 0, "index": "wazuh-alerts-4.x-2025.12.29", "node": "UdJ2fEooRb-6AQV_PbLRXw", "reason": { "type": "illegal_argument_exception", "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [data.office365.ClientIP] in order to load field data by uninverting the inverted index. Note that this can use significant memory." } } ] }, "hits": { "total": 0, "max_score": null, "hits": [] }, "aggregations": { "buckets": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [] } } }
Request
{ "sort": [], "size": 100, "from": 0, "aggs": { "buckets": { "terms": { "field": "data.office365.ClientIP", "size": 5, "order": { "_count": "desc" } } } }, "stored_fields": [ "*" ], "script_fields": {}, "docvalue_fields": [ { "field": "data.aws.createdAt", "format": "date_time" }, { "field": "data.aws.end", "format": "date_time" }, { "field": "data.aws.resource.instanceDetails.launchTime", "format": "date_time" }, { "field": "data.aws.service.eventFirstSeen", "format": "date_time" }, { "field": "data.aws.service.eventLastSeen", "format": "date_time" }, { "field": "data.aws.start", "format": "date_time" }, { "field": "data.aws.updatedAt", "format": "date_time" }, { "field": "data.ms-graph.activityDateTime", "format": "date_time" }, { "field": "data.ms-graph.complianceGracePeriodExpirationDateTime", "format": "date_time" }, { "field": "data.ms-graph.createdDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceActionResults.lastUpdatedDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceActionResults.startDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceHealthAttestationState.issuedDateTime", "format": "date_time" }, { "field": "data.ms-graph.deviceHealthAttestationState.lastUpdateDateTime", "format": "date_time" }, { "field": "data.ms-graph.easActivationDateTime", "format": "date_time" }, { "field": "data.ms-graph.enrolledDateTime", "format": "date_time" }, { "field": "data.ms-graph.exchangeLastSuccessfulSyncDateTime", "format": "date_time" }, { "field": "data.ms-graph.firstActivityDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastActivityDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastSyncDateTime", "format": "date_time" }, { "field": "data.ms-graph.lastUpdateDateTime", "format": "date_time" }, { "field": "data.ms-graph.managementCertificateExpirationDate", "format": "date_time" }, { "field": "data.ms-graph.resolvedDateTime", "format": "date_time" }, { "field": "data.timestamp", "format": "date_time" }, { "field": "data.vulnerability.published", "format": "date_time" }, { "field": "data.vulnerability.updated", "format": "date_time" }, { "field": "syscheck.mtime_after", "format": "date_time" }, { "field": "syscheck.mtime_before", "format": "date_time" }, { "field": "timestamp", "format": "date_time" } ], "_source": { "excludes": [ "@timestamp" ] }, "query": { "bool": { "must": [], "filter": [ { "match_all": {} }, { "match_phrase": { "cluster.name": { "query": "wazuh" } } }, { "match_phrase": { "rule.groups": { "query": "office365" } } }, { "range": { "timestamp": { "gte": "2025-12-29T09:42:00.954Z", "lte": "2025-12-29T10:42:00.954Z", "format": "strict_date_optional_time" } } } ], "should": [], "must_not": [] } } }
Response
{ "took": 200, "timed_out": false, "_shards": { "total": 110, "successful": 109, "skipped": 0, "failed": 1, "failures": [ { "shard": 0, "index": "wazuh-alerts-4.x-2025.12.29", "node": "UdJ2fEooRb-6AQV_PbLRXw", "reason": { "type": "illegal_argument_exception", "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [data.office365.ClientIP] in order to load field data by uninverting the inverted index. Note that this can use significant memory." } } ] }, "hits": { "total": 0, "max_score": null, "hits": [] }, "aggregations": { "buckets": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [] } } }
Message has been deleted
Stuti Gupta
Dec 29, 2025, 6:06:41 AM (2 days ago) Dec 29
to Wazuh | Mailing List
Hi
Serhii
The issue is occurring due to a field mapping error.
Please check the office365.ClientIP field in
/etc/filebeat/wazuh-template.json.
This field must be of type keyword, for example:
"properties": {
"Actor": {
"properties": {
"ID": {
"type": "keyword"
}
}
},
"UserId": {
"type": "keyword"
},
"Operation": {
"type": "keyword"
},
"ClientIP": {
"type": "keyword"
},
"ResultStatus": {
"type": "keyword"
},
If ClientIP is defined as anything other than keyword, change it to keyword, then run the following command:
filebeat setup --pipelinesAfter this, check the Filebeat logs to confirm the errors are resolved.
Next, you need to reindex the affected indices.
In the Wazuh dashboard, click the hamburger menu (top left) → Index Management → Dev Tools.
Run the following command to list all indices:
GET _cat/indicesTake a backup of the affected index (replace the index name as needed):
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2025.08.14"
},
"dest": {
"index": "wazuh-alerts-4.x-backup"
}
}Delete the original index:
DELETE /wazuh-alerts-4.x-2025.08.14Reindex the data back from the backup:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-backup"
},
"dest": {
"index": "wazuh-alerts-4.x-2025.08.14"
}
}Delete the backup index:
DELETE /wazuh-alerts-4.x-backup
Repeat these steps for any other indices that show field conflict issues.
For more details, you can also refer to the https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html
Serhii Zahuba
Dec 29, 2025, 7:33:26 AM (2 days ago) Dec 29
to Wazuh | Mailing List
Hello. Thank you for your quick answer, but it didn't help.
i have
},
"ClientIP": {
"type": "keyword"
},
in /etc/filebeat/wazuh-template.json
I also tried completely deleting the index - the system created a new one - the same problem.
понеділок, 29 грудня 2025 р. о 13:06:41 UTC+2 Stuti Gupta пише:
Reply all
Reply to author
Forward
0 new messages