Elastic 7.9.1 - Security (SIEM) - Your visualization has error(s) - [illegal_argument_exception]

Hi @Andrew_G

I am seeing some strange behaviour. It seems like the template is being ignored.

I will step through what I have done. (I am testing only with Winlogbeat to make it easier)

DELETE /_template/winlogbeat-*
DELETE /winlogbeat-*

GET _template/winlogbeat-7.9.2/
{}
GET /winlogbeat-*
{}

Everything cleared out
Run setup to create the template

 GET _template/winlogbeat-7.9.2/  
    ...
    "event" : {
      "properties" : {
        "severity" : {
          "type" : "long"
        },
        "code" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "original" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "risk_score" : {
          "type" : "float"
        },
        "timezone" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "created" : {
          "type" : "date"
        },
        "kind" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "module" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        ...

As we can see it created the template with event.module as a keyword.

Index is still empty at this point.

GET /winlogbeat-*/_mapping/field/event.module
{ }

Ingest some data ...

{
  "winlogbeat-7.9.2" : {
    "mappings" : {
      "event.module" : {
        "full_name" : "event.module",
        "mapping" : {
          "module" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      }
    }
  }
}

Problem is still there.

In short the template is correct but the index is created with the incorrect field type.

Any ideas? Thanks again I really appreciate all the help.

Cheers!