Wazuh Dashboard Stopped Visualizing Alerts

19 views
Skip to first unread message

Micah Still

unread,
Feb 9, 2026, 11:44:58 PM (2 days ago) Feb 9
to Wazuh | Mailing List
Good morning,

My Wazuh standalone deployment was reporting alerts seamlessly last week. When I checked it this morning it came up with this error when I tried to look at the overview section of the WebGUI:

"[WazuhError]: search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."

I've done some troubleshooting with editing the frequent alerts and the alerts severity visualizations params from text files to .keyword. However, this has not solved the issue.

Any suggestions for next steps would be greatly appreciated.

Thanks,
Micah S.


Md. Nazmur Sakib

unread,
Feb 10, 2026, 12:25:09 AM (2 days ago) Feb 10
to Wazuh | Mailing List

Hi Micah,

The cause of the error is that the Wazuh dashboard is doing some operations, like aggregations or sorting, on string fields not mapped as keyword.


The thing is that the keyword is already the default mapping in the standard Wazuh template for manager.name


Can you please check if you have the standard Wazuh template in place?


Check this file on the Wazuh Manager’s server /etc/filebeat/wazuh-template.json 


You should find a configuration like this.

     "manager": {

        "properties": {

          "name": {

            "type": "keyword"

          }

        }

      },

Refer: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat


Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against the Wazuh Indexer.  It should resemble what you have in the wazuh-template.json file.

GET /_template/wazuh


The following lines should be there

   "settings": {

      "index": {

        "mapping": {

          "total_fields": {

            "limit": "10000"

          }

        },


—----------------

        "manager": {

          "properties": {

            "name": {

              "type": "keyword"

            }

          }

        },

If you don't see sections like this with "10000" and "keyword" then it appears either your wazuh-template.json file is not being pushed to the indexer, or you have some other template that is overriding the wazuh template.


Also, please run the following command at Indexer Management > Dev Tools :


GET /_cat/templates?v


With this, you will be able to see all of your templates

And run this command to check if the manager.name field is mapped as a keyword for the affected indices.

GET /wazuh-alerts-<affectedindicedate>/_mapping/field/manager.name


If the field is not mapped as a keyword, try reindexing those indices.

Ex:

Go to Indexer Management > Dev Tools

Make a backup index.

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-backup"

  }

}



Delete the main index

DELETE /wazuh-alerts-4.x-2026.02.05



Create the main index from back-up

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-backup"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  }

}



Delete the backup index

DELETE /wazuh-alerts-4.x-backup


Ref:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html



I will look forward to your update on this.
Reply all
Reply to author
Forward
0 new messages