Fields not being refreshed

[Yossif Helmy]

Hello All,

Some fields are not being refreshed in Wazuh even after refreshing them from the wazuh-archives-* index pattern multiple times.

I even added them to a custom template so it can be created in each index every day

But still, I have the same problem with them not being registered in the index pattern

My Wazuh version is v4.7.4, and I have had this option since before due to another issue of the mappings not being cached, so I added this:

server.maxPayloadBytes: 2097152  # 2 MB (default is 1 MB = 1048576)

To /etc/wazuh-dashboard/opensearch_dashboards.yml

Thank you.

[Benjamin Nworah]

Dear Yossif,

Please can you run these commands via the Dev Tool:

1 GET _cat/indices?v
2 GET wazuh-archivess-*/_mapping/field/data.alienvault.id

3 GET wazuh-archivess-*/_mapping/field/data.alienvault.created

From the warning message, you might have to perform re-indexing to see these fields. Please follow the below steps via Dev Tools to reindex your data.

1. Backup your data:

POST _reindex
{
  "source": {
    "index": "wazuh-archives-4.x-2025.08.28"
  },
  "dest": {
    "index": "wazuh-archives-4.x-backup"
  }
}

2.  Delete the wazuh-archives-4.x-2025.08.28

DELETE / wazuh-archives-4.x-2025.08.28

3. Re-index the data from the backup index wazuh-archives-4.x-backup to a new index with the original name wazuh-archives-4.x-2025.08.28.

POST _reindex
{
  "source": {
    "index": "wazuh-archives-4.x-backup"
  },
  "dest": {
    "index": "wazuh-archives-4.x-2025.08.28"
  }
}

4.   Delete the backup created earlier:

DELETE /wazuh-archives-4.x-backup

5. Try again to see if the data.alienvault.* fields are registered now.

[Benjamin Nworah]

Dear Yossif,

Please confirm if the issue is resolved.

[Yossif Helmy]

Hello Benjamin,

I hope you're doing well.

Unfortunately, not. Here's the data that you requested:

I didn't include the first one because it contained a lot of unrelated outputs. So this proves that the indices have their fields mapped. However, it is still not updated in the index pattern.

I'm looking forward to hearing back from you.

Best Regards,

[Yossif Helmy]

To also add. Reindexing won't fix it because the problem is related to the index patterns.

[Benjamin Nworah]

Dear Yossif,

Thank you for sharing the requested information.

Please did you reindex the data as recommended? Also, after reindexing, restart the following Wazuh services.

. systemctl restart wazuh-indexer

. systemctl restart wazuh-manager

. systemctl restart wazuh-dashboard

After the above, search for the fields again.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/d70a745d-8c5d-4fe3-8d11-fa8f51b1e002n%40googlegroups.com.

[Yossif Helmy]

The Wazuh components differ from the OpenSearch components. Restarting them won't make a difference.

[Benjamin Nworah]

Hello Yossif,

Kindly confirm you have completed the above steps.

Thank you,

To view this discussion visit https://groups.google.com/d/msgid/wazuh/8e46754e-725c-44e1-a07a-20f123c0237en%40googlegroups.com.

[Yossif Helmy]

Thank you, Benjamin. I would like to close the ticket.