We are running Detection Rules to search for IOCs in firewall logs (using Indicator Matching). The firewall logs have a field named service. Every time there is a match the following error is seen:
Bulk Indexing of signals failed: object mapping for [service] tried to parse field [service] as object, but found a concrete value
Based on similar topics on this and other forums a solution offered is to rename the field (service).
The present index mapping for the field is:
"service": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
Say we were to rename the field, is there a way to rename this field in the existing Elasticsearch indices (old data)?