Wazuh Dashboard Stopped Visualizing Alerts

167 views
Skip to first unread message

Micah Still

unread,
Feb 9, 2026, 11:44:58 PMFeb 9
to Wazuh | Mailing List
Good morning,

My Wazuh standalone deployment was reporting alerts seamlessly last week. When I checked it this morning it came up with this error when I tried to look at the overview section of the WebGUI:

"[WazuhError]: search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."

I've done some troubleshooting with editing the frequent alerts and the alerts severity visualizations params from text files to .keyword. However, this has not solved the issue.

Any suggestions for next steps would be greatly appreciated.

Thanks,
Micah S.


Md. Nazmur Sakib

unread,
Feb 10, 2026, 12:25:09 AMFeb 10
to Wazuh | Mailing List

Hi Micah,

The cause of the error is that the Wazuh dashboard is doing some operations, like aggregations or sorting, on string fields not mapped as keyword.


The thing is that the keyword is already the default mapping in the standard Wazuh template for manager.name


Can you please check if you have the standard Wazuh template in place?


Check this file on the Wazuh Manager’s server /etc/filebeat/wazuh-template.json 


You should find a configuration like this.

     "manager": {

        "properties": {

          "name": {

            "type": "keyword"

          }

        }

      },

Refer: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat


Please check the template as it exists in the Wazuh indexer cluster state by using the following API call against the Wazuh Indexer.  It should resemble what you have in the wazuh-template.json file.

GET /_template/wazuh


The following lines should be there

   "settings": {

      "index": {

        "mapping": {

          "total_fields": {

            "limit": "10000"

          }

        },


—----------------

        "manager": {

          "properties": {

            "name": {

              "type": "keyword"

            }

          }

        },

If you don't see sections like this with "10000" and "keyword" then it appears either your wazuh-template.json file is not being pushed to the indexer, or you have some other template that is overriding the wazuh template.


Also, please run the following command at Indexer Management > Dev Tools :


GET /_cat/templates?v


With this, you will be able to see all of your templates

And run this command to check if the manager.name field is mapped as a keyword for the affected indices.

GET /wazuh-alerts-<affectedindicedate>/_mapping/field/manager.name


If the field is not mapped as a keyword, try reindexing those indices.

Ex:

Go to Indexer Management > Dev Tools

Make a backup index.

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-backup"

  }

}



Delete the main index

DELETE /wazuh-alerts-4.x-2026.02.05



Create the main index from back-up

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-backup"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  }

}



Delete the backup index

DELETE /wazuh-alerts-4.x-backup


Ref:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html



I will look forward to your update on this.

Micah Still

unread,
Feb 13, 2026, 12:08:59 PMFeb 13
to Md. Nazmur Sakib, Wazuh | Mailing List
Good morning Nazmur,

This is what I was able to find:



Wazuh template in Manager: Standard

Wazuh template in Indexer: Different template (missing manager node)

Templates: wazuh, wazuh-statistics, wazuh-agent, wazuh-ism-template
-wazuh template seems to have been edited by a custom index patter I created last week:

"[wazuh-alerts-4.x-*, wazuh-archives-4.x-*]"

Affected indices mapping: Keyword

Thanks,
Micah S.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/e09cc89c-a060-49e0-bcf2-b64e56e0fd4en%40googlegroups.com.

Md. Nazmur Sakib

unread,
Feb 16, 2026, 1:36:22 AMFeb 16
to Wazuh | Mailing List

You can remove the custom template you have added and reindex the indices to resolve the search_phase_execution_exception.

Next, you can share the custom template you have added so that we can review it and share feedback.

Looking forward to your update.

Micah Still

unread,
Feb 17, 2026, 11:28:17 AMFeb 17
to Wazuh | Mailing List
I have attached a picture of the wazuh-ism-template that we created and a txt file of the altered wazuh template. 

To reindex should I copy and paste what is saved in the filebeat wazuh-template.json? Or should that be done automatically?
wazuh-custom template.PNG
Message has been deleted

Md. Nazmur Sakib

unread,
Feb 18, 2026, 8:24:43 AMFeb 18
to Wazuh | Mailing List

Go to  Indexer Management > Dev Tools

Remove misconfigured ISM policy from your indices with this command.

POST _plugins/_ism/remove/wazuh-*

Ref: Remove policy from index


Next, reindex the conflict indices one by one following this doc.

Ref: Re-indexing


The steps will be similar to this.

Make a backup index.

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-backup"

  }

}



Delete the main index

DELETE /wazuh-alerts-4.x-2026.02.05



Create the main index from back-up

POST _reindex

{

  "source": {

    "index": "wazuh-alerts-4.x-backup"

  },

  "dest": {

    "index": "wazuh-alerts-4.x-2026.02.05"

  }

}



Delete the backup index

DELETE /wazuh-alerts-4.x-backup



Let me know if you need any further information.

Micah Still

unread,
Feb 18, 2026, 2:48:34 PMFeb 18
to Wazuh | Mailing List
Hi Nazmur,

I was able to get my dashboard alerting again! Thanks you for your assistance.

For future reference, what would be best practice for creating retention policies in Wazuh? I'm guessing I want to stay away from using ism templates that are set to a priority higher than my default wazuh template but aside from that, what would you advise?

Thanks,
Micah S.

Micah Still

unread,
Feb 18, 2026, 2:48:35 PMFeb 18
to Wazuh | Mailing List
Hello, Nazmur,

I was able to reindex the indices and the dashboard is reporting again.

Moving forward, what would be the best way to create a retention policy in Wazuh? Is there a certain process that needs to be followed beyond what's mentioned in the official documentation?

Thanks,
Micah S.

Md. Nazmur Sakib

unread,
Feb 20, 2026, 12:00:30 AMFeb 20
to Wazuh | Mailing List

You can follow this document to make a retention policy with the help of ISM.

https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html

If you configure following this document, you do not need to do anything additionally.

Let me know if you need any further assistance on this.

Reply all
Reply to author
Forward
0 new messages