error indeer template

20 views
Skip to first unread message

Tengku Arya Saputra

unread,
12:54 AM (21 hours ago) 12:54 AM
to Wazuh | Mailing List
I am having problems with the indexer in all of my dashboard menus. Please help me restore everything to normal.
Screenshot 2026-02-25 104114.png

This is happening not only in the Mitre dashboard but in all of them. I will provide an example of the request and res

Regards
response.txt
request.txt

Bony V John

unread,
1:12 AM (21 hours ago) 1:12 AM
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
2:05 AM (20 hours ago) 2:05 AM
to Wazuh | Mailing List

Hi,

From the details you shared, the issue appears to be related to a field mapping problem, specifically affecting the manager.name field. That is likely why the visualizations for those indices are failing.

The Wazuh dashboard visualizations use the manager.name field as a filter across multiple panels. If manager.name is not mapped as keyword, queries that rely on exact-match filtering can fail and impact multiple visualizations.

Before proceeding, please confirm whether you made any changes to:

  • the wazuh-alerts index template

  • Filebeat template (wazuh-template.json)

  • ingest pipelines

  • or any other settings

If yes, please share what was changed.


Compare mappings in an older working index vs the failing index

On the Wazuh dashboard: Hamburger icon (top-left) > Indexer management > Dev Tools

Run this for a known working alerts index:

GET wazuh-alerts-4.x-<old-index-date>/_mapping

Replace <old-index-date> with an older index date that is working.

In the output, search for manager and verify it looks like this:

        "manager": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }

Then run the same command for one of the failing indices:  
GET wazuh-alerts-4.x-<failing-index-date>/_mapping
Check whether manager.name is still keyword or if it has become text (or something else). Please share both outputs.  

If manager.name is not keyword, fix the template and reindex

On the Wazuh manager server, open: /etc/filebeat/wazuh-template.json

Search for the manager field and verify that manager.name is mapped as:

"type": "keyword"

If it is not, update it to keyword, then apply the template changes and restart Filebeat:  
filebeat setup --pipelines
systemctl restart filebeat

After that, you will need to reindex the affected indices so the corrected mapping is applied . You can refer to the Wazuh reindexing documentation for the exact steps.  

 If the issue still persists, share the following

  • The full /etc/filebeat/wazuh-template.json file.

  • The mapping output for:

    • one old working index (.../_mapping)

    • one failing index (.../_mapping)

These details will help us confirm the root cause and guide the correct fix.

Tengku Arya Saputra

unread,
3:47 PM (7 hours ago) 3:47 PM
to Wazuh | Mailing List
Hello Bony,

I will give you my old indexer, which has no errors, at the end of 2025, and the new one, which has errors, in 2026.

GET wazuh-alerts-4.x-2025.12.16/_mapping -> old indexer
GET wazuh-alerts-4.x-2026.02.25/_mapping -> failing index

I will also give you the Wazuh template file. Can you help analyze this?

failing index error.json
wazuh-template.json
old_working_index.json
Reply all
Reply to author
Forward
0 new messages