Hi all,
I'm using Filebeat 7.3.1 with Elastic Cloud 7.3.0 and the Authentications pane (in SIEM app) is empty (despite being able to view them in Discover / filebeat index.
When I inspect the response in the SIEM app I get :
type": "illegal_argument_exception",
"reason": "Fielddata is disabled on text fields by default
The index template is loaded so not sure why this is happening? Same is happening on Auditbeat
Most likely user.name is a text field when it should be keyword. Have you loaded the templates for Auditbeat and Filebeat using the setup command? Do they contain this section:
{
"strings_as_keyword" : {
"mapping" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"match_mapping_type" : "string"
}
}
That should ensure that user.name (and all other string fields) is a keyword field.
Ideally, you could fix the templates and reindex the data so it's all keyword fields. You could also keep your current data and enable fielddata as described in https://www.elastic.co/guide/en/elasticsearch/reference/current/fielddata.html#enable-fielddata-text-fields.
Thanks @cwurm! Yes I've run the setup command, deleted all filebeat indexes. Here's the template current filebeat template.
If I inspect the mapping for user :
"user": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
I'm stumped for now...any other suggestions? Re-indexing doesn't appeal as I can just delete my indexes as I can do without the data for a little while, but hopefully not much longer!
Here are the steps I took to fix the problem :
sudo filebeat setup on a nodeThis topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.