I'm using Filebeat 7.3.1 with Elastic Cloud 7.3.0 and the Authentications pane (in SIEM app) is empty (despite being able to view them in Discover / filebeat index.
When I inspect the response in the SIEM app I get :
type": "illegal_argument_exception",
"reason": "Fielddata is disabled on text fields by default
The index template is loaded so not sure why this is happening? Same is happening on Auditbeat
Most likely user.name is a text field when it should be keyword. Have you loaded the templates for Auditbeat and Filebeat using the setup command? Do they contain this section:
I'm stumped for now...any other suggestions? Re-indexing doesn't appeal as I can just delete my indexes as I can do without the data for a little while, but hopefully not much longer!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.